US20100299292A1 - Systems and Methods for Application-Level Security - Google Patents

Systems and Methods for Application-Level Security Download PDF

Info

Publication number
US20100299292A1
US20100299292A1 US12/468,739 US46873909A US2010299292A1 US 20100299292 A1 US20100299292 A1 US 20100299292A1 US 46873909 A US46873909 A US 46873909A US 2010299292 A1 US2010299292 A1 US 2010299292A1
Authority
US
United States
Prior art keywords
behavior
user
patterns
web
pattern
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US12/468,739
Other versions
US8356001B2 (en
Inventor
Carlos Miguel Collazo
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
LAYER8 SECURITY Inc
Original Assignee
Mariner Systems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mariner Systems Inc filed Critical Mariner Systems Inc
Priority to US12/468,739 priority Critical patent/US8356001B2/en
Assigned to MARINER SYSTEMS INC. reassignment MARINER SYSTEMS INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: COLLAZO, CARLOS MIGUEL
Priority to JP2012511848A priority patent/JP2012527691A/en
Priority to PCT/US2010/033193 priority patent/WO2010135068A1/en
Priority to EP10778096.7A priority patent/EP2433215A4/en
Priority to CA2762429A priority patent/CA2762429A1/en
Priority to AU2010250015A priority patent/AU2010250015A1/en
Publication of US20100299292A1 publication Critical patent/US20100299292A1/en
Assigned to XYBERSECURE, INC. reassignment XYBERSECURE, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MARINER SYSTEMS, INC.
Publication of US8356001B2 publication Critical patent/US8356001B2/en
Application granted granted Critical
Assigned to XYBERSHIELD, INC. reassignment XYBERSHIELD, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: XYBERSECURE, INC.
Assigned to XSI HOLD CO. reassignment XSI HOLD CO. MERGER (SEE DOCUMENT FOR DETAILS). Assignors: XYBERSHIELD, INC.
Assigned to LAYER8 SECURITY, INC. reassignment LAYER8 SECURITY, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: XSI HOLD CO.
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • This invention relates generally to application-level security systems, and more particularly, to web application security systems collecting information about application-level functional user behavior, and correlating the information collected with evaluation patterns to detect security threats before the attacks occur.
  • Security is one of the largest concerns and markets for Internet.
  • the security threat to Internet-based commerce grows daily, as more users and companies access sensitive information over the Internet, such as credit card information and employee records.
  • the majority of the solutions for Internet security are focused on the network, the operating environment of the servers, and the data.
  • Network firewalls block unauthorized access to assets and allow certain kinds of access to occur (e.g., for authorized users such as customers).
  • a network firewall can block communications originating from a particular IP address.
  • Network-level security solutions such as hardware firewalls usually implement rules or access control lists for determining access permissions.
  • hardware firewalls can protecting a private network by limiting the access permissions of outside network traffic.
  • Attackers are discovering that manipulating applications to gain access through the open doors of the hardware firewall is more effective. These attacks work by exploiting the web server and the applications it runs to enter through the same open door in the perimeter defenses that normal users (e.g., customers) use to access the website. In such instances, attackers generally exploit vulnerabilities in the code of the web application.
  • An application-level attack is SQL injection. Web applications vulnerable to this type of attack often use user input, such as text input in form fields, to construct SQL queries by concatenating the text received from the user with SQL code to form a SQL query. If the appropriate text is submitted through the form field such that a malicious query is formed instead of the intended query, the web application may return information not intended for the user, such as passwords, or other kinds of personal information.
  • Packet-level solutions cannot also distinguish network traffic coming from one application to another easily. Packet-level solutions are also expensive, and can slow down the speed of the network significantly as the firewall filters these packets for application data. Furthermore, packet-level solutions cannot be adapted and modified easily based on the particular application. Additionally, packet-level solutions cannot accurately and adequately track functional behavior on an application, because packet-level solutions can only interpret and attempt to reconstruct the application-level user behavior from the raw packet data. Reconstruction of the raw packet data introduces ambiguity and reduces the performance of the security system. Moreover, existing solutions do not automatically learn new patterns of benign and/or malicious behavior, and can only work with a given set of threat signatures (i.e. threat signatures provided by the hardware vendor or system administrators).
  • threat signatures i.e. threat signatures provided by the hardware vendor or system administrators.
  • web application security systems collect qualitative and/or quantitative information about application-level functional user behavior, transforming the information collected into behavior patterns comprising qualitative data with quantifiable values, and correlate the behavior pattern with evaluation patterns to detect security threats before the attacks occur.
  • Embodiments of the described security system discern between normal and malicious behavior (e.g., a customer entering a wrong password due to a typo versus an attacker performing a dictionary attack on the password, respectively) through real-time analysis and correlation of behavior patterns (e.g., in a browser session) in relation to other behavior patterns of the application, threat signatures, and overall usage of the web application.
  • the web application provided by a web server can be a database program, an email program, video game, an e-commerce web site, or other suitable web application.
  • Functional user behavior with such application may include a timestamped user click on a button, text input in a form field, sequence of pages visited by the user, or other suitable user interaction.
  • the system uses a behavior analysis engine to transform the qualitative and/or quantitative information about functional user behavior on the web application into a behavior pattern, and uses a correlation engine to correlate the behavior pattern with each of a plurality of evaluation patterns using statistical analysis or any other suitable correlation methods.
  • the qualitative and/or quantitative information collected about functional user behavior may be transformed into a behavior pattern comprising quantitative and/or qualitative information stored in a different format than the originally-collected data, such that the behavior pattern can be correlated easily with evaluation patterns (e.g., transform the collected data such that the format of the behavior pattern matches with the inputs of the correlation method).
  • Evaluation patterns may be specific to the application being protected by the system. At least one of the evaluation patterns is associated with malicious behavior.
  • the process of transforming qualitative and/or quantitative information collected outputs a behavior pattern that comprises data that qualitatively describes the application-level functional user behavior.
  • the qualitative data may include quantifiable values to facilitate storage and/or quantitative analysis such as statistical correlation.
  • raw data comprising a page sequence e.g., timestamped HTTP page requests, both quantitative and qualitative
  • Whether a page sequence is robotic or not may be quantified as a “0” or “1”, or alternatively, a range of values to describe the relative level of robotic behavior, such as “0.56” or “0.3”.
  • the process of transforming information collected reduces the set of raw data collected into a manageable set of data for correlation.
  • the transformation process is integrated with the correlation process, where the transformation process may dynamically change depending on initial correlation results with certain evaluation patterns.
  • the qualitative and/or quantitative information about functional user behavior is collected over a user behavior session by the web server hosting the web application.
  • a user behavior session is defined as the end user behavior in using an application directly or indirectly from the time when the user begins to interact with the web application to the time when the user ceases to interact with the web application. For example, a browser cookie may be used to identify the user behavior session.
  • the security system has a frame construct to represent threat signatures.
  • Each frame is a template for describing a profile of an application-level attack.
  • a frame comprises attributes such as functional abuse traits, data injection, command injection, and threat signatures.
  • the frame attributes are automatically or manually populated by the system to create evaluation patterns that are application-specific.
  • an evaluation pattern can be implemented in many ways.
  • an application-specific evaluation pattern can be a vector representing a list of functional abuse traits present in a specific attack on an email application.
  • the evaluation pattern can be implemented as an associative array with frame attributes as keys with values (e.g., “0” and “1”) to represent the presence or absence of certain attributes.
  • the values may be represented by a number between 0 to 100 as weights that represent the relative importance of finding that attribute in the behavior pattern.
  • a frame may represent a particular page sequence which may indicate functional abuse.
  • the qualitative and/or quantitative functional user behavior can be tracked, collected and stored using any suitable method.
  • client-side scripting such as JavaScript code
  • a server object is installed on the web server hosting the web application to capture relevant requests (e.g., server-side scripting) from clients to the web server, such as page requests.
  • the information about functional user behavior collected may be transformed into a behavior pattern, wherein the behavior pattern is defined by the presence or absence of certain attributes. These attributes may qualitatively describe the functional user behavior activity, and the values for those attributes may be quantitative to facilitate storage and/or correlation. These attributes may be application-specific.
  • a behavior pattern may be implemented as a hash table for mapping relevant qualitative attributes (e.g., average time intervals between page hits on “book_eventA.html”) to quantitative values (e.g., 0.35 hits/second).
  • relevant qualitative attributes e.g., average time intervals between page hits on “book_eventA.html”
  • quantitative values e.g. 0.35 hits/second.
  • user requests comprising information about functional user behavior are tracked during a user behavior session.
  • Information about functional user behavior in the user request may comprise the timestamp of a page request, the application the request belongs to, identification of the user behavior session (e.g., browser session, cookies), request payload (e.g., URI, query string, header parameters, posted data), or any other suitable information about functional user behavior.
  • a behavior pattern is associated with qualitative attributes that have quantifiable values associated with them. For instance, a qualitative attribute may be the presence of a regular expression in the text input entered by the user, and the quantifiable value may be a “0” or “1”.
  • the information about functional user behavior is a page sequence. The page sequence is transformed into a behavior pattern comprising quantifiable values for the following qualitative attributes:
  • Raw data on information about functional user behavior is transformed into a behavior pattern using any suitable means.
  • the resulting behavior pattern may comprise qualitative values as well, such as the page sequence itself.
  • the behavior pattern is stored in the security system for further analysis.
  • the behavior pattern is correlated with each of the set of evaluation patterns.
  • the behavior pattern continues to be correlated with evaluation patterns as more information about application-level functional user behavior is collected.
  • Correlation methods may comprise checking the quantitative values in the behavior pattern against some known value, such as a threshold. For instance, correlation may comprise checking the variance of time intervals between each page request against 0 . 03 ; if the variance is below 0.03, the page sequence may indicate a robotic, non-human-like functional user behavior/activity on the web application (e.g., qualitative data indicating user behavior is robotic).
  • correlation is performed using statistical methods (e.g., classification methods) by finding the statistical correlation between the behavior pattern and each of the known evaluation patterns.
  • Other correlation or classification methods used may include neural networks, nearest-neighbor classifiers, decision trees, or any other suitable classification techniques.
  • the set of known behavior patterns may be organized by categories or may be related to each other in the form of a hierarchy, where other kinds of classification techniques may be more suitable.
  • correlation is performed on the behavior pattern using pattern matching methods to match a page sequence over a user behavior session with a known page sequence pattern.
  • the behavior pattern stored in the system is qualitative.
  • the result of the correlation is used to determine whether the user behavior session is correlated with a security threat.
  • a remediative action is automatically executed to react to the security threat.
  • the remediative action comprises contacting a system administrator about the security threat by email.
  • the remediative action is manually executed.
  • the behavior patterns collected over time and over many users are used to detect new evaluation patterns.
  • the system learns, detects and extracts new abnormal and/or malicious evaluation patterns using any suitable clustering algorithm.
  • the system also learns, detects and extracts normal patterns.
  • the new evaluation patterns can be integrated with the existing set of evaluation patterns for future correlation and analysis.
  • FIG. 1 is a diagram of an illustrative web application system in accordance with one embodiment of the invention
  • FIG. 2 is a diagram of an illustrative web application security system in accordance with one embodiment of the invention.
  • FIG. 3 show illustrative display of an illustrative web application
  • FIG. 4 is an illustrative flowchart for correlating functional user behavior with known evaluation patterns in accordance with one embodiment of the invention
  • FIG. 5 is a diagram of an illustrative method for creating evaluation patterns in accordance with one embodiment of the invention.
  • FIG. 6 is an illustrative diagram for a multi-tiered application-level security system in accordance with one embodiment of the invention.
  • FIG. 1 shows an illustrative web application system 100 in accordance with one embodiment of the invention, implemented as a server-client system.
  • Web server 102 comprises a server computer running a computer program responsible for receiving requests from clients to serve web pages.
  • Web server 102 may comprise control circuitry 110 to send and receive commands, requests, and other suitable data.
  • the control circuitry 110 may be based on any suitable processing circuitry such as processing circuitry based on one or more microprocessors, microcontrollers, digital signal processors, programmable logic devices, etc.
  • Web server 102 may also include data storage components 112 for maintaining databases and files.
  • Data storage components 112 may comprise random-access memory or hard disks.
  • the databases and/or files may be stored in a different web server (not shown) from web server 102 .
  • Web server 102 may be accessible on the Internet, a local area network (LAN), wireless network, or any other suitable network, using communications device 114 such as an Ethernet card or data modem.
  • Web server 102 may be configured to communicate with other servers or clients using communications device 114 . Via communications device 114 , web server 102 is accessible by various devices suitable for accessing the application running on web server 102 .
  • Web server 102 runs one or more instances of web application 116 .
  • Any suitable approach may be used to provide web application 116 to a client.
  • Any client i.e., a user
  • Any client may access and/or run an instance of web application 116 using any suitable approach.
  • a server-client based approach can be used by an email server to provide a web-based email application to a user.
  • a user may use a blackberry to access, send and receive emails using a web browser implemented on the blackberry to access the web application.
  • a user may access the web application running on the server using remote desktop software (e.g., pcAnywhere by Symantec).
  • Web application 116 may be an online-banking web application, a social networking community web site, an online calendar application, an e-commerce application, or any other suitable web site.
  • Web application 116 may support accessing and displaying data such as files and databases (e.g., to display device 118 or other devices coupled to the system).
  • Web server 102 may use external storage for providing the third-party data.
  • the data may include image files, audio files, or databases.
  • Web server 102 may be configured to process HTTP requests and responses, or support interfaces such as PHP, ASP or MySQL.
  • Web server 102 may be configured to serve static and/or dynamic content.
  • Web server 102 may be accessible by personal computer 104 or a laptop 111 , or any other suitable user equipment devices.
  • a plurality of devices such as computer 104 , laptop 111 , or any other suitable user equipment device may be connected to web server 102 concurrently.
  • Personal computer 104 comprises processor 120 for sending requests to the web server to request data and for processing received data from the web server, and display 122 for displaying web pages.
  • Personal computer 104 may include input device 124 such as a mouse, keyboard, touch pad, microphone, actuator, or any suitable input devices.
  • Personal computer 104 may be used by a human user, or may be controlled by a bot or network of bots, or may be accessed by the human user or by a bot from a remote location.
  • a web browser is implemented on personal computer 104 to render web pages and data received from web server 102 to be displayed on display 122 .
  • Personal computer 104 may be configured to communicate with web server 102 using any suitable communications protocols and medium via communications device 126 .
  • Laptop 111 can be implemented in similar fashion.
  • web server 102 is accessible by mobile device 106 , such as a Palm Pilot, iPhone or Blackberry.
  • Mobile device 106 comprises display 128 for displaying web pages, communications device 132 for sending requests to the web server to request data, and processor 130 for processing received data from the web server and displaying web pages to display 128 .
  • Mobile device 106 may include user input device 134 such as a touch screen, a scroll ball, keypad, microphone, haptic sensors, actuator, or any suitable input devices.
  • Mobile device 106 may be used by a human user.
  • a web browser is implemented on mobile device 106 to render web pages and data received from the web server 102 on display 128 .
  • Mobile device 106 may be configured to communicate with web server 102 using antenna 136 and communications device 132 for over the air transmissions, or using any suitable communications protocols and medium.
  • web server 102 is accessible by server 108 .
  • Server 108 comprises processor 138 , communications device 140 and data storage components 142 .
  • Server 108 may be used as a web application acceleration server to improve the performance (e.g., to improve response time for certain web pages in application 116 ).
  • Server 108 may be responsible for storing data for web server 102 , such as for backup purposes, or for hosting a portion of the data provided by application 116 .
  • Server 108 may also provide functionalities for application 116 running on web server 102 , such as credit card payment processing or some server/processor intensive process.
  • Server 108 can be a mirror server running the same or part of application 116 running on the web server 102 .
  • Server 108 may be configured to communicate with web server 102 using any suitable communications protocols and medium via communications device 140 .
  • the functionalities of web server 102 and server 108 are combined and provided from a single system at a single facility, or multiple systems at multiple facilities.
  • User equipment such as personal computer 104 , mobile device 106 and laptop 111 may include any equipment suitable for providing a web application experience. Other examples of user equipment can include gaming systems (e.g., PlayStation), set top boxes, IP phones, etc.
  • a user may use the user equipment to perform functions using web application 116 .
  • a user may click on a link on a web page to request another web page from web server 108 (e.g., sends an HTTP request to the web server 104 ).
  • web server 108 Upon receiving the HTTP request, web server 108 processes the request and sends an HTTP response to the user equipment, where the response includes information needed to display the web page requested.
  • Web server 102 may not run a web application that provides web sites to clients. Web server 102 may provide data and other functions to an instance of an application or program running on user equipment. In one embodiment, web server 102 may provide flight schedule information to mobile device 106 used by an air traffic controller. Mobile device 106 may have a database program implemented thereon, such as an instance of FileMaker, or Microsoft Access. The database program may send database requests or queries for flight schedule data stored on web server 102 . Web server 102 may also request third party data, such as weather information, from a remote server similar to server 108 .
  • third party data such as weather information
  • Web server 102 may be a file server configured to support cloud computing, providing the infrastructure and software as a service to users.
  • Web server 102 or in conjunction with other distributed servers, may provide users with access to data, files and applications.
  • web server 102 may be used to support a project management tool for storing a repository of files associated with business projects, and to provide access of the data, files and applications to users around the world.
  • FIG. 2 shows an illustrative web application security system 200 in accordance with one embodiment of the invention.
  • Web server 204 , web server 206 , client 208 and client 212 may be configured to communicate using a server-client approach or any other suitable approach.
  • Web server 204 , web server 206 , behavior analysis engine 216 , correlation engine 218 , and learning engine 220 are configured to communicate with each other via network 202 (e.g., Internet, Wide Area Network, Local Area Network, cellular network, etc).
  • network 202 allows web server 204 to communicate with client 208 and client 212 to provide a server-client web application experience (e.g., by communicating with HTTP requests and responses).
  • Web server 204 and/or web server 206 may use network 202 to communicate data about functional user behavior to the behavior analysis engine 216 .
  • the data about functional user behavior is captured on the server-side. In other embodiments, the data about functional user behavior is captured on the client-side.
  • Network 202 may be implemented in any suitable topology. Communications on network 202 may be any suitable communications protocol (e.g., HTTP over TCP/IP).
  • Web server 204 implementing application 222 is coupled to network 202 , and may be configured in a similar fashion as web server 102 .
  • Web server 206 is coupled to the network 202 , and may be implemented in a similar fashion as server 108 .
  • the functionalities of the web server 204 and web server 206 are combined and implemented as a single system in a single facility. In alternative embodiments, those functionalities are implemented as a plurality of systems in a plurality of facilities.
  • Web server 204 and/or web server 206 may be configured to send data associated with functional user behavior to behavior analysis engine 216 .
  • Correlation engine 218 or another server computer may be configured to communicate with web server 204 , web server 206 , client 208 , and client 212 to execute a remediative action in response to detecting malicious behavior.
  • Web server 204 and web server 206 are accessible by at least one client, for instance, client 208 and client 212 .
  • Client 208 and client 212 may be a personal computer, a mobile device, a laptop, a server, or any suitable device configured to communicate and access the web server 204 and/or web server 206 , as described in relation to FIG. 1 .
  • Client 208 and client 212 may be configured to establish a user behavior session, user behavior session 210 and user behavior session 214 respectively (e.g., browser sessions as established by a browser cookie).
  • each client machine may establish more than one user behavior sessions.
  • client 208 and client 212 is shown, other clients implemented in a similar fashion may also establish behavior sessions. Multiple clients may be connected to web server 204 or web server 206 at the same time.
  • a user behavior session such as user behavior session 210 and user behavior session 214 , defines the session where characteristics of functional user behavior on an application are collected.
  • a user behavior session may be associated with a particular browser cookie.
  • the information that security system 200 keeps track of during a user behavior session may include a web page or screen sequence navigated by the user, along with the time intervals associated with each page.
  • Other information about functional user behavior may include input in web pages, screens, or forms of the application. Other examples may include timestamped user clicks or touch strokes within a web page or screen of the application.
  • the functional user behavior may be processed and tagged by the context of the behavior.
  • a click on an image on a web page may be tagged with a description of the image (e.g., “information icon”).
  • a description of the image e.g., “information icon”.
  • functional user behavior in a browser session on an application is monitored and tracked over time, and the information about the functional user behavior collected during the browser session (i.e., a user behavior session) is transformed and stored in a behavior pattern.
  • Tracking functional user behavior in a user behavior session improves upon tracking a single connection between clients and servers (i.e., tracking traffic to and from a single IP address). Blocking and protecting against a single connection (i.e., IP address) may be ineffective because a hacker or abusive user may try and establish connections using multiple IP addresses to launch attacks.
  • the information about functional user behavior is analyzed by behavior analysis engine 216 .
  • the qualitative and/or quantitative information about functional user behavior may be captured by server object 224 installed on web server 204 .
  • the information captured by server object 224 (or a client-side script) may be communicated to behavior analysis engine 216 over network 202 for further processing.
  • Behavior analysis engine 216 may be implemented on the web server 204 or web server 206 , or may be implemented as a separate server, or as multiple servers.
  • Behavior analysis engine 216 may be configured to communicate with clients of the application 222 (e.g., client 208 and client 212 ), web server 204 and web server 206 to collect qualitative and/or quantitative information about functional user behavior.
  • behavior analysis engine 216 is implemented in a distributed server system, where the collected information is quickly synchronized across the network.
  • Behavior analysis engine 216 may be configured to monitor, track, store, transform, and analyze functional behavior on web application 222 .
  • Behavior analysis engine 216 may be configured to track and collect user behavior sessions for a part of web application 222 , or may be configured to track and collect user behavior sessions for multiple web applications.
  • a behavior tracker script (e.g., JavaScript file) is installed on pages of web application 222 to track user clicks or text input or any functional user behavior.
  • the behavior tracker script and behavior analysis engine 216 may be configured to track and store a predefined set of various kinds of functional user behaviors. Behavior analysis engine 216 may also track non-functional user behavior (e.g., IP/TCP packet header data sent between servers and clients), or work with network firewalls to track other data.
  • Server-side scripts may be installed as a server object 224 on web server 204 and web server 206 to track requests and responses between the servers and clients.
  • the scripts may be configured to send data associated with functional user behavior to a separate data storage location, such as relational database 226 or any other suitable data storage components on behavior analysis engine 216 for further analysis.
  • Behavior analysis engine 216 may be configured to organize incoming data associated with functional user behavior into user behavior sessions using browser cookies. The data collected may be aggregated, processed, transformed and analyzed by behavior analysis engine 216 .
  • information about functional user behavior is transformed from raw data collected from users and/or clients into behavior patterns, where the behavior pattern is in a format that matches with the inputs of the correlation methods.
  • the behavior patterns stored and collected in relational database 226 may be used by learning engine 220 to improve the algorithms running on behavior analysis engine 216 and correlation engine 218 .
  • the functional user behavior is tracked by server object 224 in web server 204 , and the information about the functional user behavior in the user behavior session is stored in relational database 226 in behavior analysis engine 216 .
  • an HTTP request for a web page from a user may be stored as a new record in relational database 226 .
  • the information and records in relational database 226 may be aggregated during a user behavior session to form a behavior pattern that represents and qualitative describe application activities within a browser session.
  • Page history during a user behavior session may be stored as a hash table for quick retrieval and access. The information aggregated may be further processed and transformed into a behavior pattern.
  • the raw data gathered during a user behavior session may be transformed into a behavior pattern by representing the presence of certain user input characteristics and presence of pages in the page sequence as a multidimensional vector in a relational database.
  • the behavior pattern qualitatively describes application-level functional user behavior and may further comprise quantifiable values for certain qualitative attributes and characteristics of functional user behavior.
  • page sequence in a user behavior session may be transformed into a behavior pattern by using a Markov chain.
  • the Markov chain may have a plurality of states.
  • the Markov chain may change the current state depending on the next page in the page sequence in a user behavior session.
  • a Markov chain may model a page sequence in a user behavior session, and at each page request, behavior analysis engine 216 may update the current state of the Markov chain.
  • the current state can reflect previous page visits in the page sequence.
  • the Markov chain allows pattern matching to occur without doing a full search on the sequence each time a new page request is received at behavior analysis engine 216 .
  • correlation engine 218 is implemented to correlate behavior patterns associated with functional user behavior during a particular behavior session (e.g., aggregated by behavior analysis engine 216 over a browser session) with a set of evaluation patterns (e.g., a set of known behavior profiles).
  • the raw data (qualitative and or quantitative) associated with functional user behavior collected from users and/or clients may be transformed into a format that matches the input of the correlation engine 218 .
  • the data in this format is stored as a behavior pattern, and the data is qualitative and/or quantitative.
  • the raw data of an HTTP request (e.g., POST) may be parsed to look for attributes in the evaluation patterns (e.g., parsing for particular regular expressions).
  • the result of parsing the HTTP requests may be transformed into a vector that keeps track of whether certain regular expressions have appeared in the HTTP requests.
  • An example of a behavior pattern is:
  • An example of an evaluation pattern representing a malicious profile is:
  • Correlation engine 218 correlates current behavior patterns with known evaluation patterns. For instance, information about page sequence in a user behavior session stored in relational database 226 may be transformed into a state in a Markov chain; the state may be used as part of the correlation process to determine whether the current state is associated with malicious behavior or not. Evaluation patterns will be described in further detail in relation to FIG. 5 .
  • the correlation engine and the algorithms implemented thereon may be automatically or manually updated to reflect additional information learned about user behavior and new information about the application.
  • the correlation engine 218 may be implemented differently depending in part on application 222 running on web server 204 .
  • results of correlations are tracked and reported to system administrators for further inspection and analysis.
  • Results may also be used to train (e.g., using learning engine 220 ) the classification system in correlation engine 218 .
  • results may be used to recluster the set of behavior patterns in learning engine 220 .
  • learning engine 220 is implemented to learn from behavior patterns collected by behavior analysis engine 226 and the results from the correlation engine 218 using any suitable artificial intelligence learning algorithms.
  • Learning engine 220 is configured to update the set of known behavior patterns over time. For instance, based at least in part on the behavior patterns collected, the learning engine can recluster the behavior patterns against the set of known evaluation patterns to detect new evaluation patterns.
  • learning engine 220 can use information about past attacks (e.g., such as the time frame of a past attack) as a heuristic to recluster the behavior patterns.
  • Learning engine 220 may use a combination of heuristics and evolutionary algorithms. Heuristics may include information about past attacks, such as the locale of where the past attacks originated from.
  • the new evaluation patterns learned from the reclustering process can be integrated with the set of known evaluation patterns in correlation engine 218 .
  • System 200 may modify the correlation engine 218 by incorporating new evaluation patterns detected in learning engine 220 .
  • the new evaluation patterns may become more specific to application 222 that system 200 is protecting, and thereby improve the performance of detecting security threats.
  • the new evaluation patterns may represent new user behavior patterns, perhaps due in part to changes in the application or changes in user activities on the application. System 200 can then adapt to those changes automatically, without requiring manual re-configuration by the system administrator.
  • Clustering methods may include artificial intelligence algorithms such as hierarchical clustering, partitional clustering and spectral clustering.
  • Learning engine 220 may be adapted and modified to reflect changes in application 220 , new features tracked by system 200 , new kinds of functional behavior, changes in the distribution of the functional user behaviors, or new knowledge about methods used by hackers.
  • the clustering method may adapt to behavior patterns collected, or any other factors.
  • Learning engine 220 may run automatically and continuously over time, or it may run at scheduled time intervals, or it may run as instructed by system administrators.
  • the system 200 collects information for behavior patterns in current user behavior sessions or past user behavior sessions.
  • Learning engine 220 continuously or discretely correlates the behavior patterns collected with the set of known evaluation patterns.
  • the behavior patterns collected may be reclustered by learning engine 220 to detect and learn new evaluation patterns. For instance, as the application is being used by users over time, normal functional user behavior patterns may emerge as more users use the web site, and those emerging patterns may not have existed as part of the set of evaluation patterns. In some embodiments, abnormal behavior may emerge as more users use the web site. For example, a group of hackers may have discovered a potential vulnerability of the application, and may attempt a series of attacks. The hackers' attempts can be detected by learning engine 220 .
  • the learning process in learning engine 220 may take place online and/or offline on a regular time basis. New evaluation patterns found using learning engine 220 can be incorporated offline with the behavior analysis engine 216 and correlation engine 218 via an automatic process.
  • behavior analysis engine 216 may be implemented on multiple servers, or all or a subset of the engines can be combined and implemented on a single individual server.
  • FIG. 3 shows an illustrative display of an illustrative web application.
  • security system 200 collects information about functional user behavior on the web application running on web server 204 , web server 206 , and/or web server 102 .
  • the illustrative web application may be provided to users and clients as a web site as described in relation to FIG. 1 .
  • FIG. 3 shows screen shot 300 of a web site in an illustrative embodiment.
  • a “register_form.html” page of the web site “website.com” is as shown in address bar 302 . Hyperlinks to other parts of the web site are provided in navigation bar 304 .
  • a user may click on the “Contact” link to navigate to a different web page, or activate a script or program to send a communication to the server.
  • User clicks, navigation to a different web page, activating a script or program to send a communication, or any other suitable user activity, may be functional user behavior tracked and monitored by behavior analysis engine 216 .
  • Clicks on a button that activates script, program, or sends a request may be a potential vulnerability which attackers may use repetitively to slow down the server and perform a denial of service attack.
  • a user may provide text input for login fields 306 , or text input for search field 308 .
  • the input provided along with an identification of the text field may be tracked by server object 224 in web server 204 and may be transmitted to behavior analysis engine 216 for further processing.
  • Text fields may be vulnerable because hackers and attackers can use the field to perform a buffer overflow attack. Users may also be able to insert commands by submitting special characters in login fields 306 and search field 308 , or any other input field that receives text.
  • a hacker may also use a dictionary attack to gain access to the system via login fields 306 , and the repeated attempts to gain access may be tracked as repeated sequences of “login.html” and “error.html” in the page sequence tracked by behavior analysis engine 226 .
  • Timestamped data of functional user behavior tracked by server object 224 and behavior analysis engine 216 may be stored in relational database 226 .
  • the timestamp is quantitative data and the pages in the repetitive sequence are qualitative data collected over a user behavior session.
  • the timestamp and pages in the sequence may be transformed into a behavior pattern.
  • the behavior pattern may be stored in relational database 226 .
  • the behavior pattern is used as an input to the correlation engine 218 .
  • the web application may include form fields in registration form 310 .
  • Registration form 310 may invoke backend database queries on web server 204 and web server 206 . Data provided through the form may be malformed and can cause errors on the server side.
  • Multiple registrations may also be problematic for a web application and can be a common functional abuse trait for a web site. For an e-commerce web site that offers a $10 (ten dollar) gift certificate to every one who registered for the web site, multiple account registrations may be problematic and costly.
  • Registration forms may also be vulnerable to SQL injections if the user enters a partial database query into the form field. For instance, the text including the partial database query parsed and sent to the backend database may become a malicious query requesting web server 206 to return the password of a user.
  • the illustrative web application shown in FIG. 3 may be configured to offer other services such as chat as shown in chat box 320 , and/or provide third-party information such as weather in area 322 .
  • Chat data may be provided from other entities, such as by client 212 , client 214 , personal computer 104 , mobile device 106 , laptop 111 , or by a computer program running on web server 102 , web server 204 or web server 206 .
  • the third-party information may be provided by server 108 or web server 206 .
  • These enhanced services on the illustrative web application may also be vulnerable to hackers and attackers.
  • a user may submit malicious trojans or scripts to dynamic web applications.
  • a user may perform denial of service attacks on the servers as hackers may be able to spoof legitimate requests to those third-party servers for malicious purposes. Abuses described in relation to FIG. 3 are commonly associated with application-level attacks.
  • FIG. 4 is an illustrative flowchart of a process 400 involved in correlating information about functional user behavior with known evaluation patterns to detect security threats, according to an embodiment of the invention.
  • Step 406 transforms the information collected by server object 224 into a behavior pattern or updates the behavior pattern (e.g., as stored in relational database 226 ) associated with the particular user behavior session. Transformation in step 406 may be performed by behavior analysis engine 216 .
  • the process 400 then proceeds to step 408 where the behavior pattern is correlated with evaluation patterns in correlation engine 218 .
  • the process determines whether the behavior pattern matches a malicious behavior pattern.
  • Step 408 and step 310 may be performed by correlation engine 218 .
  • step 410 results in yes, the next steps in the process 400 is to execute remediative action (step 412 ) and learning (step 414 ).
  • Any suitable server may be used to execute remediative action, such as an email server, or web server 204 .
  • the system may automatically execute remediative action (step 414 ), such as notifying the system administrator, or disabling the user account on the web application.
  • Evaluation patterns may or may not be associated with a remediative action. Remediative action associated with a evaluation pattern may be manually executed by a system administrator.
  • Remediative action may include modification (outside of application 116 or web server 102 ) such as sending an email to a system administrator with information related to the potential security threat.
  • Remediative action may include an alert inserted in application 116 or application 222 as a pop-up on a web page to inform the user that security system 200 has detected malicious behavior.
  • remediative action includes redirecting the browser session to a blocking page hosted on another server that halts and terminates the current session, and prevents further access and use of application 116 and application 222 . If the behavior pattern matches a evaluation pattern that is benign, the system may continue to collect information about functional user behavior during the user behavior session, continue to update behavior pattern, and continue to correlate the updated behavior pattern with evaluation patterns.
  • Updating analytics is performed by learning engine 220 in step 414 , where learning engine 220 uses the information about the behavior patterns collected over time to improve behavior analysis engine 216 and correlation engine 218 .
  • the metrics used in behavior analysis engine 216 and correlation engine 218 may be continuously updated and recalculated using cumulative data collected from current and/or past behavior patterns.
  • step 410 results in no, the next steps are to return to step 404 to collect more information about functional user behavior, and to update the analytics in step 414 .
  • the information in the behavior pattern is used to update behavior analysis engine 216 and/or correlation engine 218 in the learning step 414 by learning engine 220 .
  • FIG. 5 is a diagram of an illustrative method 500 for creating behavior patterns in accordance with one embodiment of the invention.
  • behavior patterns are correlated with evaluation patterns.
  • frames are either manually or automatically created for a particular application-level attack.
  • Frames include attributes such as functional abuse traits, data injection, command injection, and threat signatures.
  • a frame provides a modular and adaptive capability to model known application-level threat profiles as well as learned application-level threat profiles that may be specific to a host application and its users.
  • Frame 502 or any other frames may be created manually based at least in part on a system administrator's expertise in application-level attacks.
  • frames have parameters that can be adjusted for different applications.
  • Frames may be generic in nature. For instance, the detection of a regular expression as part of the user input may be a frame attribute.
  • frame attributes may be associated with a particular sequence of pages, as it can be interpreted as a sign of functional abuse. Either automatically or manually, frames may be constructed or adapted to create evaluation patterns by modifying and customizing frame attributes and parameters. The adaptive capability is advantageous because a particular sequence of pages can be interpreted as malicious while a similar repetition of pages may be normal in a different kind of application.
  • Evaluation patterns may be created from frames, where the frame attributes are adapted for the application being protected by the system. For instance, a frame with a regular expression as a frame attribute can be modified to create an evaluation pattern by associating the frame attribute with a specific regular expression (i.e., the parameter to the frame attribute). Frames may be adapted using learning engine 220 to create new evaluation patterns. Learning engine 220 may recluster behavior patterns to create new evaluation patterns by adjusting frame attributes or evaluation patterns attributes, or parameters to reflect new patterns detected by the reclustering process.
  • frame 502 has three threat signatures as frame attributes: argument injection 506 , command delimiters 508 , abusive resource consumption 510 .
  • Evaluation pattern 504 has evaluation pattern attributes. In general, frame attributes and evaluation attributes are qualitative, and the values for those attributes are qualitative and/or quantitative. Through an automatic process (e.g., using clustering methods in learning engine 220 ) or manual process, frame 502 , its attributes and parameters can be adapted to an application and become an application-specific evaluation pattern 504 . For argument injection 506 , frame attribute 506 is adapted to check functional user behavior by parsing specifically for “,”′′-- characters. For command delimiters 508 , the evaluation pattern may check behavior patterns by parsing /, ?
  • the evaluation pattern may check behavior patterns for the presence of a repetitive page sequence (e.g., “submit.html” appears 25 times) in a user behavior session.
  • a repetitive page sequence e.g., “submit.html” appears 25 times
  • the attribute for abusive resource consumption is modified to check for a different repetitive page sequence (e.g., adapting parameters for different applications).
  • Information associated with functional user behavior collected by server object 224 describes the functional user activity over a user behavior session, and may be transformed to a behavior session using behavior analysis engine 212 .
  • the raw data collected about the functional user behavior may be transformed by behavior analysis engine 212 into a behavior pattern in a way such that the behavior pattern can be processed and correlated easily.
  • the transformation may be performed by mapping the raw data collected by server object 224 to attributes within the set of known frame attributes and/or evaluation pattern attributes.
  • the mapping process may transform rows of raw data associated with functional user behavior in relational database 226 into a behavior pattern (e.g., into another row in another database table) that tracks the presence or absence of certain frame attributes and/or evaluation pattern attributes in those rows of raw data.
  • a behavior pattern e.g., into another row in another database table
  • an associative array keeping track of the presence or absence of certain attributes is used to represent the behavior pattern.
  • the behavior pattern are statistically and programmatically correlated with the set of known behavior patterns for the application.
  • the frames and behavior patterns can be created based at least in part of the general knowledge of types of attacks and application vulnerabilities, specific application-type and/or platform knowledge of existing vulnerabilities and previous attacks, and stochastic behavior analysis of collected behavior patterns.
  • the evaluation patterns may be updated via a reclustering process in learning engine 220 .
  • the evaluation patterns are manually updated by a system administrator.
  • application-specific behavior patterns are generated or created by the definition of specific pages to be considered for or excluded in a behavior pattern.
  • the process of generating or creating the behavior patterns may involve configuring parameters to the frames and evaluation patterns, such as specifying the regular expressions in the attributes of the frame and/or evaluation patterns.
  • the behavior patterns are created using statistical analysis, as described in relation to the learning engine 220 .
  • FIG. 6 is an illustrative diagram for a multi-tiered application-level security system in accordance with one embodiment of the invention.
  • Security system 200 may be implemented as a multi-tiered global infrastructure. Attacks are stopped closest to the source at points local to the attacks to prevent abusive and consumptive usage of resources of the host application's system. It may be advantageous to implement a plurality of local systems 606 at geographically distributed points to provide threat protection at the edge. In certain embodiments, local systems 606 may be used for threat remediative.
  • a plurality of regional systems 604 may be geographically located regionally and provide the hub for session detection, correlation, and analytics.
  • Regional systems 604 may comprise at least one of: behavior analysis engine 216 , correlation engine 218 , and learning engine 220 .
  • Regional systems 604 may implement components of processes described in relation to FIG. 4 .
  • At least one central system 602 may be located at major geographical points and be configured to provide the central core for reporting, management, and analytics. Central system 602 may be configured to synchronize information collected from different locations. In certain embodiments, central system 602 may be configured to process behavior patterns collected to learn new evaluation patterns, as described in relation to learning engine 220 and FIG. 4 . In some embodiments, the central system 602 may be configured to perform global analysis on the performance of the system, and/or report analytical data to administrators.
  • a computer usable and/or readable medium may consist of a read only or writeable memory device, such as a CD ROM disk, DVD, flash memory stick, conventional ROM devices, or a random access memory, such as a hard drive device or a computer diskette, having a computer readable program code stored thereon.

Abstract

A system and method for application-level security is disclosed. Application-level security refers to detecting security threats from functional user behavior. Information about functional user behavior is transformed into a behavior session. The behavior session is transformed into a behavior pattern. The behavior pattern is correlated with evaluation patterns to detect potential security threats. Behavior patterns are collected over time to improve analysis.

Description

    BACKGROUND OF THE INVENTION
  • This invention relates generally to application-level security systems, and more particularly, to web application security systems collecting information about application-level functional user behavior, and correlating the information collected with evaluation patterns to detect security threats before the attacks occur.
  • Security is one of the largest concerns and markets for Internet. The security threat to Internet-based commerce grows daily, as more users and companies access sensitive information over the Internet, such as credit card information and employee records. The majority of the solutions for Internet security are focused on the network, the operating environment of the servers, and the data.
  • For example, one of the prevailing solutions to Internet security has been network firewalls. Network firewalls block unauthorized access to assets and allow certain kinds of access to occur (e.g., for authorized users such as customers). For example, a network firewall can block communications originating from a particular IP address. Network-level security solutions such as hardware firewalls usually implement rules or access control lists for determining access permissions. For example, hardware firewalls can protecting a private network by limiting the access permissions of outside network traffic.
  • Protection at the application-level, however, has been largely neglected. Web applications written and deployed without security as a prime consideration can inadvertently expose sensitive or confidential information, facilitate web site defacement, provide access to private networks, perpetrate denial of service (DoS) attacks, and facilitate unhindered access to back-end databases. The stakes are high, and threats must be detected and remediated, before an attacker has a chance to launch an attack against the application.
  • Attackers are discovering that manipulating applications to gain access through the open doors of the hardware firewall is more effective. These attacks work by exploiting the web server and the applications it runs to enter through the same open door in the perimeter defenses that normal users (e.g., customers) use to access the website. In such instances, attackers generally exploit vulnerabilities in the code of the web application. One example of an application-level attack is SQL injection. Web applications vulnerable to this type of attack often use user input, such as text input in form fields, to construct SQL queries by concatenating the text received from the user with SQL code to form a SQL query. If the appropriate text is submitted through the form field such that a malicious query is formed instead of the intended query, the web application may return information not intended for the user, such as passwords, or other kinds of personal information.
  • Existing security solutions aimed at application-level attacks, such as Juniper Network's network firewalls, offers a packet-level solution to inspect the payload of a packet and stores the history of network traffic to model application-level activities. For instance, to protect against SQL injection, the network firewall inspects the packet payload data for special symbols. However, these solutions inspect packets at the network-level and requires reassembly, scrubbing, and normalization, because application-level activity is fragmented and out of order. The process of analyzing packet payloads to interpret the intent of the application data is difficult, cumbersome, and introduces significant overhead. Packet-level solutions cannot keep track of browser sessions easily, because session information, such as the data associated with browser session cookies, is not coherent at the network level. Packet-level solutions cannot also distinguish network traffic coming from one application to another easily. Packet-level solutions are also expensive, and can slow down the speed of the network significantly as the firewall filters these packets for application data. Furthermore, packet-level solutions cannot be adapted and modified easily based on the particular application. Additionally, packet-level solutions cannot accurately and adequately track functional behavior on an application, because packet-level solutions can only interpret and attempt to reconstruct the application-level user behavior from the raw packet data. Reconstruction of the raw packet data introduces ambiguity and reduces the performance of the security system. Moreover, existing solutions do not automatically learn new patterns of benign and/or malicious behavior, and can only work with a given set of threat signatures (i.e. threat signatures provided by the hardware vendor or system administrators).
  • It is difficult to distinguish malicious activity on the application-level (e.g., functional abuse) from normal, everyday web traffic at the network-level. Application attacks cannot be adequately prevented by intrusion-then-detection methods, network firewalls, or even encryption. There exists a need for a solution that can prevent application-level attacks and eliminate the shortcomings of the existing solutions.
  • SUMMARY OF THE INVENTION
  • In accordance with the principles of the present invention, systems and methods for detecting security threats before the attacks occur are disclosed. In the various embodiments described herein, generally speaking, web application security systems collect qualitative and/or quantitative information about application-level functional user behavior, transforming the information collected into behavior patterns comprising qualitative data with quantifiable values, and correlate the behavior pattern with evaluation patterns to detect security threats before the attacks occur.
  • Embodiments of the described security system discern between normal and malicious behavior (e.g., a customer entering a wrong password due to a typo versus an attacker performing a dictionary attack on the password, respectively) through real-time analysis and correlation of behavior patterns (e.g., in a browser session) in relation to other behavior patterns of the application, threat signatures, and overall usage of the web application. For example, the web application provided by a web server can be a database program, an email program, video game, an e-commerce web site, or other suitable web application. Functional user behavior with such application may include a timestamped user click on a button, text input in a form field, sequence of pages visited by the user, or other suitable user interaction.
  • The system uses a behavior analysis engine to transform the qualitative and/or quantitative information about functional user behavior on the web application into a behavior pattern, and uses a correlation engine to correlate the behavior pattern with each of a plurality of evaluation patterns using statistical analysis or any other suitable correlation methods. The qualitative and/or quantitative information collected about functional user behavior may be transformed into a behavior pattern comprising quantitative and/or qualitative information stored in a different format than the originally-collected data, such that the behavior pattern can be correlated easily with evaluation patterns (e.g., transform the collected data such that the format of the behavior pattern matches with the inputs of the correlation method). Evaluation patterns may be specific to the application being protected by the system. At least one of the evaluation patterns is associated with malicious behavior.
  • The process of transforming qualitative and/or quantitative information collected outputs a behavior pattern that comprises data that qualitatively describes the application-level functional user behavior. The qualitative data may include quantifiable values to facilitate storage and/or quantitative analysis such as statistical correlation. For example, raw data comprising a page sequence (e.g., timestamped HTTP page requests, both quantitative and qualitative) is transformed via analytical methods to determine whether the page sequence appears to be robotic or not (qualitative data and information on application-level functional user behavior). Whether a page sequence is robotic or not may be quantified as a “0” or “1”, or alternatively, a range of values to describe the relative level of robotic behavior, such as “0.56” or “0.3”.
  • The process of transforming information collected reduces the set of raw data collected into a manageable set of data for correlation. In some embodiments, the transformation process is integrated with the correlation process, where the transformation process may dynamically change depending on initial correlation results with certain evaluation patterns.
  • In some embodiments, the qualitative and/or quantitative information about functional user behavior is collected over a user behavior session by the web server hosting the web application. A user behavior session is defined as the end user behavior in using an application directly or indirectly from the time when the user begins to interact with the web application to the time when the user ceases to interact with the web application. For example, a browser cookie may be used to identify the user behavior session.
  • The security system has a frame construct to represent threat signatures. Each frame is a template for describing a profile of an application-level attack. A frame comprises attributes such as functional abuse traits, data injection, command injection, and threat signatures. In some embodiments, the frame attributes are automatically or manually populated by the system to create evaluation patterns that are application-specific.
  • An evaluation pattern can be implemented in many ways. For instance, an application-specific evaluation pattern can be a vector representing a list of functional abuse traits present in a specific attack on an email application. In another instance, the evaluation pattern can be implemented as an associative array with frame attributes as keys with values (e.g., “0” and “1”) to represent the presence or absence of certain attributes. Alternatively, the values may be represented by a number between 0 to 100 as weights that represent the relative importance of finding that attribute in the behavior pattern. In some embodiments, a frame may represent a particular page sequence which may indicate functional abuse.
  • In a user behavior session, the qualitative and/or quantitative functional user behavior can be tracked, collected and stored using any suitable method. For example, client-side scripting, such as JavaScript code, on a web page can be used to track mouse movements and clicks on a web site. In some embodiments, a server object is installed on the web server hosting the web application to capture relevant requests (e.g., server-side scripting) from clients to the web server, such as page requests. The information about functional user behavior collected may be transformed into a behavior pattern, wherein the behavior pattern is defined by the presence or absence of certain attributes. These attributes may qualitatively describe the functional user behavior activity, and the values for those attributes may be quantitative to facilitate storage and/or correlation. These attributes may be application-specific. For instance, a behavior pattern may be implemented as a hash table for mapping relevant qualitative attributes (e.g., average time intervals between page hits on “book_eventA.html”) to quantitative values (e.g., 0.35 hits/second). In another instance, a behavior pattern comprises a “0” or “1” as quantitative values to qualitative attributes to represent the presence or absence of those qualitative attributes (e.g., presence of “?&=” in the email address field submitted).
  • In some embodiments, user requests (e.g., HTTP requests) comprising information about functional user behavior are tracked during a user behavior session. Information about functional user behavior in the user request may comprise the timestamp of a page request, the application the request belongs to, identification of the user behavior session (e.g., browser session, cookies), request payload (e.g., URI, query string, header parameters, posted data), or any other suitable information about functional user behavior. In certain embodiments, a behavior pattern is associated with qualitative attributes that have quantifiable values associated with them. For instance, a qualitative attribute may be the presence of a regular expression in the text input entered by the user, and the quantifiable value may be a “0” or “1”. In some embodiments, the information about functional user behavior is a page sequence. The page sequence is transformed into a behavior pattern comprising quantifiable values for the following qualitative attributes:
      • Variance of time intervals between each page request
      • Average time intervals between each page request
      • Whether “confirm_order.aspx” the most visited page in the sequence
  • An example of quantitative values for the qualitative attributes above are:
      • 0.08
      • 0.12 seconds
      • 1 (indicating “yes”)
  • Raw data on information about functional user behavior is transformed into a behavior pattern using any suitable means. The resulting behavior pattern may comprise qualitative values as well, such as the page sequence itself. The behavior pattern is stored in the security system for further analysis.
  • The behavior pattern is correlated with each of the set of evaluation patterns. In some embodiments, the behavior pattern continues to be correlated with evaluation patterns as more information about application-level functional user behavior is collected. Correlation methods may comprise checking the quantitative values in the behavior pattern against some known value, such as a threshold. For instance, correlation may comprise checking the variance of time intervals between each page request against 0.03; if the variance is below 0.03, the page sequence may indicate a robotic, non-human-like functional user behavior/activity on the web application (e.g., qualitative data indicating user behavior is robotic).
  • In some embodiments, correlation is performed using statistical methods (e.g., classification methods) by finding the statistical correlation between the behavior pattern and each of the known evaluation patterns. Other correlation or classification methods used may include neural networks, nearest-neighbor classifiers, decision trees, or any other suitable classification techniques. The set of known behavior patterns may be organized by categories or may be related to each other in the form of a hierarchy, where other kinds of classification techniques may be more suitable.
  • In some embodiments, correlation is performed on the behavior pattern using pattern matching methods to match a page sequence over a user behavior session with a known page sequence pattern. In this case, the behavior pattern stored in the system is qualitative. The result of the correlation is used to determine whether the user behavior session is correlated with a security threat. Upon detecting a security threat, a remediative action is automatically executed to react to the security threat. For instance, the remediative action comprises contacting a system administrator about the security threat by email. In alternative embodiments, the remediative action is manually executed.
  • In some embodiments, the behavior patterns collected over time and over many users are used to detect new evaluation patterns. By reclustering the behavior patterns collected, the system learns, detects and extracts new abnormal and/or malicious evaluation patterns using any suitable clustering algorithm. The system also learns, detects and extracts normal patterns. The new evaluation patterns can be integrated with the existing set of evaluation patterns for future correlation and analysis.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • The above and other objects and advantages of the invention will be apparent upon consideration of the following detailed description, taken in conjunction with the accompanying drawings, in which like reference characters refer to like parts throughout, and in which:
  • FIG. 1 is a diagram of an illustrative web application system in accordance with one embodiment of the invention;
  • FIG. 2 is a diagram of an illustrative web application security system in accordance with one embodiment of the invention;
  • FIG. 3 show illustrative display of an illustrative web application;
  • FIG. 4 is an illustrative flowchart for correlating functional user behavior with known evaluation patterns in accordance with one embodiment of the invention;
  • FIG. 5 is a diagram of an illustrative method for creating evaluation patterns in accordance with one embodiment of the invention; and
  • FIG. 6 is an illustrative diagram for a multi-tiered application-level security system in accordance with one embodiment of the invention.
  • DETAILED DESCRIPTION
  • FIG. 1 shows an illustrative web application system 100 in accordance with one embodiment of the invention, implemented as a server-client system. Web server 102 comprises a server computer running a computer program responsible for receiving requests from clients to serve web pages. Web server 102 may comprise control circuitry 110 to send and receive commands, requests, and other suitable data. The control circuitry 110 may be based on any suitable processing circuitry such as processing circuitry based on one or more microprocessors, microcontrollers, digital signal processors, programmable logic devices, etc.
  • Web server 102 may also include data storage components 112 for maintaining databases and files. Data storage components 112 may comprise random-access memory or hard disks. Alternatively, the databases and/or files may be stored in a different web server (not shown) from web server 102. Web server 102 may be accessible on the Internet, a local area network (LAN), wireless network, or any other suitable network, using communications device 114 such as an Ethernet card or data modem. Web server 102 may be configured to communicate with other servers or clients using communications device 114. Via communications device 114, web server 102 is accessible by various devices suitable for accessing the application running on web server 102.
  • Web server 102 runs one or more instances of web application 116. Any suitable approach may be used to provide web application 116 to a client. Any client (i.e., a user) may access and/or run an instance of web application 116 using any suitable approach. For example, a server-client based approach can be used by an email server to provide a web-based email application to a user. A user may use a blackberry to access, send and receive emails using a web browser implemented on the blackberry to access the web application. In another embodiment, a user may access the web application running on the server using remote desktop software (e.g., pcAnywhere by Symantec).
  • Web application 116 may be an online-banking web application, a social networking community web site, an online calendar application, an e-commerce application, or any other suitable web site. Web application 116 may support accessing and displaying data such as files and databases (e.g., to display device 118 or other devices coupled to the system). Web server 102 may use external storage for providing the third-party data. The data may include image files, audio files, or databases. Web server 102 may be configured to process HTTP requests and responses, or support interfaces such as PHP, ASP or MySQL. Web server 102 may be configured to serve static and/or dynamic content.
  • Web server 102 may be accessible by personal computer 104 or a laptop 111, or any other suitable user equipment devices. A plurality of devices such as computer 104, laptop 111, or any other suitable user equipment device may be connected to web server 102 concurrently. Personal computer 104 comprises processor 120 for sending requests to the web server to request data and for processing received data from the web server, and display 122 for displaying web pages. Personal computer 104 may include input device 124 such as a mouse, keyboard, touch pad, microphone, actuator, or any suitable input devices. Personal computer 104 may be used by a human user, or may be controlled by a bot or network of bots, or may be accessed by the human user or by a bot from a remote location. In some embodiments, a web browser is implemented on personal computer 104 to render web pages and data received from web server 102 to be displayed on display 122. Personal computer 104 may be configured to communicate with web server 102 using any suitable communications protocols and medium via communications device 126. Laptop 111 can be implemented in similar fashion.
  • In some embodiments, web server 102 is accessible by mobile device 106, such as a Palm Pilot, iPhone or Blackberry. Mobile device 106 comprises display 128 for displaying web pages, communications device 132 for sending requests to the web server to request data, and processor 130 for processing received data from the web server and displaying web pages to display 128. Mobile device 106 may include user input device 134 such as a touch screen, a scroll ball, keypad, microphone, haptic sensors, actuator, or any suitable input devices. Mobile device 106 may be used by a human user. In some embodiments, a web browser is implemented on mobile device 106 to render web pages and data received from the web server 102 on display 128. Mobile device 106 may be configured to communicate with web server 102 using antenna 136 and communications device 132 for over the air transmissions, or using any suitable communications protocols and medium.
  • In some embodiments, web server 102 is accessible by server 108. Server 108 comprises processor 138, communications device 140 and data storage components 142. Server 108 may be used as a web application acceleration server to improve the performance (e.g., to improve response time for certain web pages in application 116). Server 108 may be responsible for storing data for web server 102, such as for backup purposes, or for hosting a portion of the data provided by application 116. Server 108 may also provide functionalities for application 116 running on web server 102, such as credit card payment processing or some server/processor intensive process. Server 108 can be a mirror server running the same or part of application 116 running on the web server 102. Server 108 may be configured to communicate with web server 102 using any suitable communications protocols and medium via communications device 140. In some embodiments, the functionalities of web server 102 and server 108 are combined and provided from a single system at a single facility, or multiple systems at multiple facilities.
  • User equipment such as personal computer 104, mobile device 106 and laptop 111 may include any equipment suitable for providing a web application experience. Other examples of user equipment can include gaming systems (e.g., PlayStation), set top boxes, IP phones, etc. A user may use the user equipment to perform functions using web application 116. Using any input devices suitable to interface with the user equipment, a user may click on a link on a web page to request another web page from web server 108 (e.g., sends an HTTP request to the web server 104). Upon receiving the HTTP request, web server 108 processes the request and sends an HTTP response to the user equipment, where the response includes information needed to display the web page requested.
  • Web server 102 may not run a web application that provides web sites to clients. Web server 102 may provide data and other functions to an instance of an application or program running on user equipment. In one embodiment, web server 102 may provide flight schedule information to mobile device 106 used by an air traffic controller. Mobile device 106 may have a database program implemented thereon, such as an instance of FileMaker, or Microsoft Access. The database program may send database requests or queries for flight schedule data stored on web server 102. Web server 102 may also request third party data, such as weather information, from a remote server similar to server 108.
  • Web server 102 may be a file server configured to support cloud computing, providing the infrastructure and software as a service to users. Web server 102, or in conjunction with other distributed servers, may provide users with access to data, files and applications. For example, web server 102 may be used to support a project management tool for storing a repository of files associated with business projects, and to provide access of the data, files and applications to users around the world.
  • FIG. 2 shows an illustrative web application security system 200 in accordance with one embodiment of the invention. Web server 204, web server 206, client 208 and client 212 may be configured to communicate using a server-client approach or any other suitable approach. Web server 204, web server 206, behavior analysis engine 216, correlation engine 218, and learning engine 220 are configured to communicate with each other via network 202 (e.g., Internet, Wide Area Network, Local Area Network, cellular network, etc). For instance, network 202 allows web server 204 to communicate with client 208 and client 212 to provide a server-client web application experience (e.g., by communicating with HTTP requests and responses). Web server 204 and/or web server 206 may use network 202 to communicate data about functional user behavior to the behavior analysis engine 216. In some embodiments, the data about functional user behavior is captured on the server-side. In other embodiments, the data about functional user behavior is captured on the client-side.
  • Network 202 may be implemented in any suitable topology. Communications on network 202 may be any suitable communications protocol (e.g., HTTP over TCP/IP). Web server 204 implementing application 222 is coupled to network 202, and may be configured in a similar fashion as web server 102. Web server 206 is coupled to the network 202, and may be implemented in a similar fashion as server 108. In certain embodiments, the functionalities of the web server 204 and web server 206 are combined and implemented as a single system in a single facility. In alternative embodiments, those functionalities are implemented as a plurality of systems in a plurality of facilities. Web server 204 and/or web server 206 may be configured to send data associated with functional user behavior to behavior analysis engine 216. Correlation engine 218 or another server computer (not shown) may be configured to communicate with web server 204, web server 206, client 208, and client 212 to execute a remediative action in response to detecting malicious behavior.
  • Web server 204 and web server 206 are accessible by at least one client, for instance, client 208 and client 212. Client 208 and client 212 may be a personal computer, a mobile device, a laptop, a server, or any suitable device configured to communicate and access the web server 204 and/or web server 206, as described in relation to FIG. 1. Client 208 and client 212 may be configured to establish a user behavior session, user behavior session 210 and user behavior session 214 respectively (e.g., browser sessions as established by a browser cookie). In some embodiments, each client machine may establish more than one user behavior sessions. Although only client 208 and client 212 is shown, other clients implemented in a similar fashion may also establish behavior sessions. Multiple clients may be connected to web server 204 or web server 206 at the same time.
  • In some embodiments, a user behavior session, such as user behavior session 210 and user behavior session 214, defines the session where characteristics of functional user behavior on an application are collected. A user behavior session may be associated with a particular browser cookie. The information that security system 200 keeps track of during a user behavior session may include a web page or screen sequence navigated by the user, along with the time intervals associated with each page. Other information about functional user behavior may include input in web pages, screens, or forms of the application. Other examples may include timestamped user clicks or touch strokes within a web page or screen of the application. The functional user behavior may be processed and tagged by the context of the behavior. For instance, a click on an image on a web page may be tagged with a description of the image (e.g., “information icon”). In some embodiments, functional user behavior in a browser session on an application is monitored and tracked over time, and the information about the functional user behavior collected during the browser session (i.e., a user behavior session) is transformed and stored in a behavior pattern.
  • Tracking functional user behavior in a user behavior session improves upon tracking a single connection between clients and servers (i.e., tracking traffic to and from a single IP address). Blocking and protecting against a single connection (i.e., IP address) may be ineffective because a hacker or abusive user may try and establish connections using multiple IP addresses to launch attacks.
  • In some embodiments, the information about functional user behavior is analyzed by behavior analysis engine 216. The qualitative and/or quantitative information about functional user behavior may be captured by server object 224 installed on web server 204. The information captured by server object 224 (or a client-side script) may be communicated to behavior analysis engine 216 over network 202 for further processing. Behavior analysis engine 216 may be implemented on the web server 204 or web server 206, or may be implemented as a separate server, or as multiple servers. Behavior analysis engine 216 may be configured to communicate with clients of the application 222 (e.g., client 208 and client 212), web server 204 and web server 206 to collect qualitative and/or quantitative information about functional user behavior. In certain embodiments, behavior analysis engine 216 is implemented in a distributed server system, where the collected information is quickly synchronized across the network. Behavior analysis engine 216 may be configured to monitor, track, store, transform, and analyze functional behavior on web application 222. Behavior analysis engine 216 may be configured to track and collect user behavior sessions for a part of web application 222, or may be configured to track and collect user behavior sessions for multiple web applications.
  • In some embodiments, a behavior tracker script (e.g., JavaScript file) is installed on pages of web application 222 to track user clicks or text input or any functional user behavior. The behavior tracker script and behavior analysis engine 216 may be configured to track and store a predefined set of various kinds of functional user behaviors. Behavior analysis engine 216 may also track non-functional user behavior (e.g., IP/TCP packet header data sent between servers and clients), or work with network firewalls to track other data. Server-side scripts may be installed as a server object 224 on web server 204 and web server 206 to track requests and responses between the servers and clients. The scripts may be configured to send data associated with functional user behavior to a separate data storage location, such as relational database 226 or any other suitable data storage components on behavior analysis engine 216 for further analysis. Behavior analysis engine 216 may be configured to organize incoming data associated with functional user behavior into user behavior sessions using browser cookies. The data collected may be aggregated, processed, transformed and analyzed by behavior analysis engine 216. In some embodiments, information about functional user behavior is transformed from raw data collected from users and/or clients into behavior patterns, where the behavior pattern is in a format that matches with the inputs of the correlation methods. The behavior patterns stored and collected in relational database 226 may be used by learning engine 220 to improve the algorithms running on behavior analysis engine 216 and correlation engine 218.
  • In some embodiments, the functional user behavior is tracked by server object 224 in web server 204, and the information about the functional user behavior in the user behavior session is stored in relational database 226 in behavior analysis engine 216. For instance, an HTTP request for a web page from a user may be stored as a new record in relational database 226. The information and records in relational database 226 may be aggregated during a user behavior session to form a behavior pattern that represents and qualitative describe application activities within a browser session. Page history during a user behavior session may be stored as a hash table for quick retrieval and access. The information aggregated may be further processed and transformed into a behavior pattern. For instance, the raw data gathered during a user behavior session may be transformed into a behavior pattern by representing the presence of certain user input characteristics and presence of pages in the page sequence as a multidimensional vector in a relational database. The behavior pattern qualitatively describes application-level functional user behavior and may further comprise quantifiable values for certain qualitative attributes and characteristics of functional user behavior.
  • In some embodiments, page sequence in a user behavior session may be transformed into a behavior pattern by using a Markov chain. The Markov chain may have a plurality of states. The Markov chain may change the current state depending on the next page in the page sequence in a user behavior session. For instance, a Markov chain may model a page sequence in a user behavior session, and at each page request, behavior analysis engine 216 may update the current state of the Markov chain. With a suitable Markov chain to model page history of a user as page requests are processed, the current state can reflect previous page visits in the page sequence. The Markov chain allows pattern matching to occur without doing a full search on the sequence each time a new page request is received at behavior analysis engine 216.
  • In one embodiment, correlation engine 218 is implemented to correlate behavior patterns associated with functional user behavior during a particular behavior session (e.g., aggregated by behavior analysis engine 216 over a browser session) with a set of evaluation patterns (e.g., a set of known behavior profiles). The raw data (qualitative and or quantitative) associated with functional user behavior collected from users and/or clients may be transformed into a format that matches the input of the correlation engine 218. The data in this format is stored as a behavior pattern, and the data is qualitative and/or quantitative. The raw data of an HTTP request (e.g., POST) may be parsed to look for attributes in the evaluation patterns (e.g., parsing for particular regular expressions).
  • In an illustrative embodiment, the result of parsing the HTTP requests may be transformed into a vector that keeps track of whether certain regular expressions have appeared in the HTTP requests. An example of a behavior pattern is:
  • Q=[0, 1, 1, 0, 1, 1, 0, 0, 0]
  • wherein each element in the vector represents the presence or absence of certain regular expressions (e.g., presence of .exe, presence of //*, presence of %+″, presence of &&=, etc). An example of an evaluation pattern representing a malicious profile is:
  • E=[0, 1, 1, 0, 0, 1, 0, 0, 1]
  • where each element in the vector represents the presence or absence of certain regular expressions. Correlation engine 218 may use the vector to find the dot product of the two vectors (Q.E) to determine the similarity between the two vectors. If the result of the dot product is greater than a certain threshold (e.g., threshold=3), correlation engine 218 considers the behavior pattern Q as a match with evaluation pattern E. A match with an evaluation pattern associated with malicious activity may invoke a remediative action, such as session termination.
  • Correlation engine 218 correlates current behavior patterns with known evaluation patterns. For instance, information about page sequence in a user behavior session stored in relational database 226 may be transformed into a state in a Markov chain; the state may be used as part of the correlation process to determine whether the current state is associated with malicious behavior or not. Evaluation patterns will be described in further detail in relation to FIG. 5. The correlation engine and the algorithms implemented thereon may be automatically or manually updated to reflect additional information learned about user behavior and new information about the application. The correlation engine 218 may be implemented differently depending in part on application 222 running on web server 204.
  • In certain embodiments, results of correlations are tracked and reported to system administrators for further inspection and analysis. Results may also be used to train (e.g., using learning engine 220) the classification system in correlation engine 218. Alternatively, results may be used to recluster the set of behavior patterns in learning engine 220.
  • In some embodiments, learning engine 220 is implemented to learn from behavior patterns collected by behavior analysis engine 226 and the results from the correlation engine 218 using any suitable artificial intelligence learning algorithms. Learning engine 220 is configured to update the set of known behavior patterns over time. For instance, based at least in part on the behavior patterns collected, the learning engine can recluster the behavior patterns against the set of known evaluation patterns to detect new evaluation patterns. In another instance, learning engine 220 can use information about past attacks (e.g., such as the time frame of a past attack) as a heuristic to recluster the behavior patterns. Learning engine 220 may use a combination of heuristics and evolutionary algorithms. Heuristics may include information about past attacks, such as the locale of where the past attacks originated from. The new evaluation patterns learned from the reclustering process can be integrated with the set of known evaluation patterns in correlation engine 218. System 200 may modify the correlation engine 218 by incorporating new evaluation patterns detected in learning engine 220. The new evaluation patterns may become more specific to application 222 that system 200 is protecting, and thereby improve the performance of detecting security threats. The new evaluation patterns may represent new user behavior patterns, perhaps due in part to changes in the application or changes in user activities on the application. System 200 can then adapt to those changes automatically, without requiring manual re-configuration by the system administrator.
  • Clustering methods may include artificial intelligence algorithms such as hierarchical clustering, partitional clustering and spectral clustering. Learning engine 220 may be adapted and modified to reflect changes in application 220, new features tracked by system 200, new kinds of functional behavior, changes in the distribution of the functional user behaviors, or new knowledge about methods used by hackers. The clustering method may adapt to behavior patterns collected, or any other factors. Learning engine 220 may run automatically and continuously over time, or it may run at scheduled time intervals, or it may run as instructed by system administrators.
  • By updating the set of evaluation patterns, the performance of the system can improve as new evaluation patterns are learned. As described in relation to learning engine 220, the system 200 collects information for behavior patterns in current user behavior sessions or past user behavior sessions. Learning engine 220 continuously or discretely correlates the behavior patterns collected with the set of known evaluation patterns. As more information is known about distribution of functional user behavior, the behavior patterns collected may be reclustered by learning engine 220 to detect and learn new evaluation patterns. For instance, as the application is being used by users over time, normal functional user behavior patterns may emerge as more users use the web site, and those emerging patterns may not have existed as part of the set of evaluation patterns. In some embodiments, abnormal behavior may emerge as more users use the web site. For example, a group of hackers may have discovered a potential vulnerability of the application, and may attempt a series of attacks. The hackers' attempts can be detected by learning engine 220.
  • The learning process in learning engine 220 may take place online and/or offline on a regular time basis. New evaluation patterns found using learning engine 220 can be incorporated offline with the behavior analysis engine 216 and correlation engine 218 via an automatic process.
  • In operation, behavior analysis engine 216, correlation engine 218, and learning engine 220 may be implemented on multiple servers, or all or a subset of the engines can be combined and implemented on a single individual server.
  • FIG. 3 shows an illustrative display of an illustrative web application. In one embodiment, security system 200 collects information about functional user behavior on the web application running on web server 204, web server 206, and/or web server 102. The illustrative web application may be provided to users and clients as a web site as described in relation to FIG. 1. FIG. 3 shows screen shot 300 of a web site in an illustrative embodiment. A “register_form.html” page of the web site “website.com” is as shown in address bar 302. Hyperlinks to other parts of the web site are provided in navigation bar 304. A user may click on the “Contact” link to navigate to a different web page, or activate a script or program to send a communication to the server. User clicks, navigation to a different web page, activating a script or program to send a communication, or any other suitable user activity, may be functional user behavior tracked and monitored by behavior analysis engine 216. Clicks on a button that activates script, program, or sends a request, may be a potential vulnerability which attackers may use repetitively to slow down the server and perform a denial of service attack.
  • A user may provide text input for login fields 306, or text input for search field 308. The input provided along with an identification of the text field may be tracked by server object 224 in web server 204 and may be transmitted to behavior analysis engine 216 for further processing. Text fields may be vulnerable because hackers and attackers can use the field to perform a buffer overflow attack. Users may also be able to insert commands by submitting special characters in login fields 306 and search field 308, or any other input field that receives text. A hacker may also use a dictionary attack to gain access to the system via login fields 306, and the repeated attempts to gain access may be tracked as repeated sequences of “login.html” and “error.html” in the page sequence tracked by behavior analysis engine 226. The text input and the timestamped sequence of login attempts may be tracked by behavior analysis engine 216. Timestamped data of functional user behavior tracked by server object 224 and behavior analysis engine 216 may be stored in relational database 226. The timestamp is quantitative data and the pages in the repetitive sequence are qualitative data collected over a user behavior session. The timestamp and pages in the sequence may be transformed into a behavior pattern. The behavior pattern may be stored in relational database 226. The behavior pattern is used as an input to the correlation engine 218.
  • The web application may include form fields in registration form 310. Registration form 310 may invoke backend database queries on web server 204 and web server 206. Data provided through the form may be malformed and can cause errors on the server side. To transform the raw data (e.g., user input in registration form 310) to a behavior pattern, user input may be parsed using regular expressions to find input that poses a security threat. Multiple registrations may also be problematic for a web application and can be a common functional abuse trait for a web site. For an e-commerce web site that offers a $10 (ten dollar) gift certificate to every one who registered for the web site, multiple account registrations may be problematic and costly. Registration forms may also be vulnerable to SQL injections if the user enters a partial database query into the form field. For instance, the text including the partial database query parsed and sent to the backend database may become a malicious query requesting web server 206 to return the password of a user.
  • The illustrative web application shown in FIG. 3 may be configured to offer other services such as chat as shown in chat box 320, and/or provide third-party information such as weather in area 322. Chat data may be provided from other entities, such as by client 212, client 214, personal computer 104, mobile device 106, laptop 111, or by a computer program running on web server 102, web server 204 or web server 206. The third-party information may be provided by server 108 or web server 206. These enhanced services on the illustrative web application may also be vulnerable to hackers and attackers. A user may submit malicious trojans or scripts to dynamic web applications. A user may perform denial of service attacks on the servers as hackers may be able to spoof legitimate requests to those third-party servers for malicious purposes. Abuses described in relation to FIG. 3 are commonly associated with application-level attacks.
  • FIG. 4 is an illustrative flowchart of a process 400 involved in correlating information about functional user behavior with known evaluation patterns to detect security threats, according to an embodiment of the invention. As user 402 is using the application, qualitative and/or quantitative information about the functional user behavior is collected in step 404, as described in relation to server object 224, and behavior analysis engine 216, and FIG. 2. Step 406 transforms the information collected by server object 224 into a behavior pattern or updates the behavior pattern (e.g., as stored in relational database 226) associated with the particular user behavior session. Transformation in step 406 may be performed by behavior analysis engine 216. The process 400 then proceeds to step 408 where the behavior pattern is correlated with evaluation patterns in correlation engine 218. At step 410, the process determines whether the behavior pattern matches a malicious behavior pattern. Step 408 and step 310 may be performed by correlation engine 218.
  • If step 410 results in yes, the next steps in the process 400 is to execute remediative action (step 412) and learning (step 414). Any suitable server may be used to execute remediative action, such as an email server, or web server 204. If the behavior pattern is found to be a match (e.g., yes to step 410) with a evaluation pattern associated with malicious behavior, the system may automatically execute remediative action (step 414), such as notifying the system administrator, or disabling the user account on the web application. Evaluation patterns may or may not be associated with a remediative action. Remediative action associated with a evaluation pattern may be manually executed by a system administrator.
  • Remediative action may include modification (outside of application 116 or web server 102) such as sending an email to a system administrator with information related to the potential security threat. Remediative action may include an alert inserted in application 116 or application 222 as a pop-up on a web page to inform the user that security system 200 has detected malicious behavior. In some embodiments, remediative action includes redirecting the browser session to a blocking page hosted on another server that halts and terminates the current session, and prevents further access and use of application 116 and application 222. If the behavior pattern matches a evaluation pattern that is benign, the system may continue to collect information about functional user behavior during the user behavior session, continue to update behavior pattern, and continue to correlate the updated behavior pattern with evaluation patterns.
  • Updating analytics is performed by learning engine 220 in step 414, where learning engine 220 uses the information about the behavior patterns collected over time to improve behavior analysis engine 216 and correlation engine 218. The metrics used in behavior analysis engine 216 and correlation engine 218 may be continuously updated and recalculated using cumulative data collected from current and/or past behavior patterns.
  • If step 410 results in no, the next steps are to return to step 404 to collect more information about functional user behavior, and to update the analytics in step 414. In some embodiments, though the user behavior may not be malicious, the information in the behavior pattern is used to update behavior analysis engine 216 and/or correlation engine 218 in the learning step 414 by learning engine 220.
  • FIG. 5 is a diagram of an illustrative method 500 for creating behavior patterns in accordance with one embodiment of the invention. As described in relation to FIG. 2, behavior patterns are correlated with evaluation patterns. In certain embodiments, frames are either manually or automatically created for a particular application-level attack. Frames include attributes such as functional abuse traits, data injection, command injection, and threat signatures. As a template for a threat signatures or a malicious behavior profile, a frame provides a modular and adaptive capability to model known application-level threat profiles as well as learned application-level threat profiles that may be specific to a host application and its users. Frame 502 or any other frames may be created manually based at least in part on a system administrator's expertise in application-level attacks. In some embodiments, frames have parameters that can be adjusted for different applications.
  • Frames may be generic in nature. For instance, the detection of a regular expression as part of the user input may be a frame attribute. In some embodiments, frame attributes may be associated with a particular sequence of pages, as it can be interpreted as a sign of functional abuse. Either automatically or manually, frames may be constructed or adapted to create evaluation patterns by modifying and customizing frame attributes and parameters. The adaptive capability is advantageous because a particular sequence of pages can be interpreted as malicious while a similar repetition of pages may be normal in a different kind of application.
  • Evaluation patterns may be created from frames, where the frame attributes are adapted for the application being protected by the system. For instance, a frame with a regular expression as a frame attribute can be modified to create an evaluation pattern by associating the frame attribute with a specific regular expression (i.e., the parameter to the frame attribute). Frames may be adapted using learning engine 220 to create new evaluation patterns. Learning engine 220 may recluster behavior patterns to create new evaluation patterns by adjusting frame attributes or evaluation patterns attributes, or parameters to reflect new patterns detected by the reclustering process.
  • As shown in FIG. 5, frame 502 has three threat signatures as frame attributes: argument injection 506, command delimiters 508, abusive resource consumption 510. Evaluation pattern 504 has evaluation pattern attributes. In general, frame attributes and evaluation attributes are qualitative, and the values for those attributes are qualitative and/or quantitative. Through an automatic process (e.g., using clustering methods in learning engine 220) or manual process, frame 502, its attributes and parameters can be adapted to an application and become an application-specific evaluation pattern 504. For argument injection 506, frame attribute 506 is adapted to check functional user behavior by parsing specifically for “,”″-- characters. For command delimiters 508, the evaluation pattern may check behavior patterns by parsing /, ? and ( ) characters in user input. For abusive resource consumption, the evaluation pattern may check behavior patterns for the presence of a repetitive page sequence (e.g., “submit.html” appears 25 times) in a user behavior session. Depending on the application being protected by the system, the attribute for abusive resource consumption is modified to check for a different repetitive page sequence (e.g., adapting parameters for different applications).
  • Information associated with functional user behavior collected by server object 224 describes the functional user activity over a user behavior session, and may be transformed to a behavior session using behavior analysis engine 212. Based on the attributes of the set of known frames and application-specific evaluation patterns, the raw data collected about the functional user behavior may be transformed by behavior analysis engine 212 into a behavior pattern in a way such that the behavior pattern can be processed and correlated easily. The transformation may be performed by mapping the raw data collected by server object 224 to attributes within the set of known frame attributes and/or evaluation pattern attributes. For instance, the mapping process may transform rows of raw data associated with functional user behavior in relational database 226 into a behavior pattern (e.g., into another row in another database table) that tracks the presence or absence of certain frame attributes and/or evaluation pattern attributes in those rows of raw data. In some embodiments, an associative array keeping track of the presence or absence of certain attributes is used to represent the behavior pattern. The behavior pattern are statistically and programmatically correlated with the set of known behavior patterns for the application.
  • The frames and behavior patterns can be created based at least in part of the general knowledge of types of attacks and application vulnerabilities, specific application-type and/or platform knowledge of existing vulnerabilities and previous attacks, and stochastic behavior analysis of collected behavior patterns. As discussed in relation to FIG. 2, the evaluation patterns may be updated via a reclustering process in learning engine 220. In some embodiments, the evaluation patterns are manually updated by a system administrator.
  • In some embodiments, application-specific behavior patterns are generated or created by the definition of specific pages to be considered for or excluded in a behavior pattern. The process of generating or creating the behavior patterns may involve configuring parameters to the frames and evaluation patterns, such as specifying the regular expressions in the attributes of the frame and/or evaluation patterns. In some embodiments, the behavior patterns are created using statistical analysis, as described in relation to the learning engine 220.
  • FIG. 6 is an illustrative diagram for a multi-tiered application-level security system in accordance with one embodiment of the invention. Security system 200 may be implemented as a multi-tiered global infrastructure. Attacks are stopped closest to the source at points local to the attacks to prevent abusive and consumptive usage of resources of the host application's system. It may be advantageous to implement a plurality of local systems 606 at geographically distributed points to provide threat protection at the edge. In certain embodiments, local systems 606 may be used for threat remediative.
  • Data tracked over a user behavior session may be quickly synchronized across all points of protection for effective threat knowledge transfer and remediative. A plurality of regional systems 604 may be geographically located regionally and provide the hub for session detection, correlation, and analytics. Regional systems 604 may comprise at least one of: behavior analysis engine 216, correlation engine 218, and learning engine 220. Regional systems 604 may implement components of processes described in relation to FIG. 4.
  • At least one central system 602 may be located at major geographical points and be configured to provide the central core for reporting, management, and analytics. Central system 602 may be configured to synchronize information collected from different locations. In certain embodiments, central system 602 may be configured to process behavior patterns collected to learn new evaluation patterns, as described in relation to learning engine 220 and FIG. 4. In some embodiments, the central system 602 may be configured to perform global analysis on the performance of the system, and/or report analytical data to administrators.
  • It will be apparent to those of ordinary skill in the art that methods involved in the present invention may be embodied in a computer program product that includes a computer usable and/or readable medium. For example, such a computer usable medium may consist of a read only or writeable memory device, such as a CD ROM disk, DVD, flash memory stick, conventional ROM devices, or a random access memory, such as a hard drive device or a computer diskette, having a computer readable program code stored thereon.
  • The above described embodiments of the present invention are presented for purposes of illustration and not of limitation, and the present invention is limited only by the claims which follow.

Claims (38)

1. A method for detecting malicious functional user behavior on a web application comprising:
collecting a plurality of user requests sent from a client device to a web server hosting the web application during a session, wherein:
the plurality of user requests comprise information associated with functional user behavior; and
the web application is provided by the web server to the client device over the Internet;
transforming the information associated with functional user behavior into a behavior pattern that qualitatively describes the functional user behavior;
correlating the behavior pattern with a set of known evaluation patterns, wherein at least one of the known evaluation patterns is associated with malicious functional user behavior; and
in response to finding a match between the behavior pattern and an evaluation pattern associated with malicious functional user behavior from the correlation, automatically executing a remediative action associated with the matching evaluation pattern.
2. The method defined in claim 1 wherein information associated with functional user behavior includes at least one of: qualitative information about user activity on the web application and quantitative information about user activity on the web application.
3. The method defined in claim 1 wherein the behavior pattern comprises quantifiable information about certain qualitative functional user behavior characteristics, the qualitative functional user behavior characteristics including at least one of: user input on a web page, a web page browsing sequence, timestamp of user input, and timestamp of page visits in the browsing sequence.
4. The method defined in claim 1 wherein user input comprises at least one of: text input, mouse clicks, cursor movements, and haptic input.
5. The method defined in claim 1 wherein the session is a user behavior session that begins at a first time when interaction with the web application begins to a second time when the interaction with the web application stops.
6. The method defined in claim 1 further comprising storing a plurality of behavior patterns over time in a data storage device.
7. The method defined in claim 1 wherein one of the evaluation patterns comprises receiving a specific regular expression as input.
8. The method defined in claim 1 wherein one of the evaluation patterns comprises the presence of a particular sequence of web pages.
9. The method defined in claim 1 wherein the evaluation patterns are specific to the web application and are generated from a set of non-application specific behavior patterns.
10. The method defined in claim 1 wherein the evaluation patterns are hierarchically related.
11. The method defined in claim 1 wherein correlating comprises classifying the behavior pattern using statistical correlation algorithms and heuristics, wherein statistical correlation algorithms comprise quantitatively calculating the similarity between the behavior pattern and each of the evaluation patterns.
12. The method defined in claim 1 further comprising updating the evaluation patterns based at least in part on heuristics.
13. The method defined in claim 6 further comprising clustering behavior patterns collected against the evaluation patterns to extract one or more new evaluation patterns.
14. The method defined in claim 6 further comprising updating the evaluation patterns based at least in part on behavior patterns collected.
15. The method defined in claim 11 wherein classifying the behavior pattern is based at least in part on the presence or absence of certain functional characteristics in the behavior pattern.
16. The method defined in claim 1 wherein the remediative action comprises sending a notification to a system administrator.
17. The method defined in claim 1 wherein the remediation action comprises blocking the user from accessing the web application for a certain period of time.
18. The method defined in claim 1 wherein the remediation action comprises modifying the session by displaying an alerting on the web application.
19. The method defined in claim 1 further comprising collecting a plurality of user requests across a plurality of distributed networks and access points.
20. A system for detecting malicious functional user behavior on a web application, comprising:
control circuitry on a server configured to receive a plurality of user requests sent from a client device to a web server hosting the web application during a session, wherein:
the plurality of user requests comprise information associated with functional user behavior; and
the web application is provided by the web server to the client device over the Internet;
transform the information in the user requests received into a behavior pattern that qualitatively describes the functional user behavior;
a data storage in the server for storing the plurality of user requests and the behavior pattern; and
a processor on the server for:
correlating the behavior pattern with a set of known evaluation patterns, wherein at least one of the known evaluation patterns is associated with malicious functional user behavior;
in response to finding a match between the behavior pattern and an evaluation pattern associated with malicious functional user behavior, automatically executing a remediative action associated with the matching evaluation pattern.
21. The system defined in claim 20 wherein the information associated with functional user behavior includes at least one of: qualitative information about user activity on the web application and quantitative information about user activity on the web application.
22. The system defined in claim 20 wherein the behavior pattern comprises quantifiable information about certain qualitative functional user behavior characteristics, the qualitative functional user behavior characteristics including at least one of: user input on a web page, a web page browsing sequence, timestamp of user input, and timestamp of page visits in the browsing sequence.
23. The system defined in claim 20 wherein user input comprises at least one of: text input, mouse clicks, cursor movements, and haptic input.
24. The system defined in claim 20 wherein the session is a user behavior session that begins at a first time when interaction with the web application begins to a second time when the interaction with the web application stops.
25. The system defined in claim 20 further comprising storing a plurality of behavior patterns over time in the data storage device.
26. The system defined in claim 20 wherein one of the evaluation patterns comprises receiving a specific regular expression as input.
27. The system defined in claim 20 wherein one of the evaluation patterns comprises the presence of a particular sequence of web pages.
28. The system defined in claim 20 wherein the evaluation patterns are specific to the web application and are generated from a set of non-application specific behavior patterns.
29. The system defined in claim 20 wherein the evaluation patterns are hierarchically related.
30. The system defined in claim 20 wherein correlating comprises classifying the behavior pattern using statistical correlation algorithms and heuristics, wherein statistical correlation algorithms comprise quantitatively calculating the similarity between the behavior pattern and each of the evaluation patterns.
31. The system defined in claim 20 wherein the processor is further configured to update the evaluation patterns based at least in part on heuristics.
32. The system defined in claim 25 wherein the processor is further configured to cluster behavior patterns collected against the evaluation patterns to extract one or more new evaluation patterns.
33. The system defined in claim 25 wherein the processor is further configured to update the evaluation patterns based at least in part on behavior patterns collected.
34. The system defined in claim 30 wherein classifying the behavior pattern is based at least in part on the presence or absence of certain functional characteristics in the behavior pattern.
35. The system defined in claim 20 wherein the remediative action comprises sending a notification to a system administrator.
36. The system defined in claim 20 wherein the remediation action comprises blocking the user from accessing the web application for a certain period of time.
37. The system defined in claim 20 wherein the remediation action comprises modifying the session by displaying an alerting on the web application.
38. The system defined in claim 20 wherein the control circuitry is further configured to receive a plurality of user requests across a plurality of distributed networks and access points.
US12/468,739 2009-05-19 2009-05-19 Systems and methods for application-level security Expired - Fee Related US8356001B2 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
US12/468,739 US8356001B2 (en) 2009-05-19 2009-05-19 Systems and methods for application-level security
JP2012511848A JP2012527691A (en) 2009-05-19 2010-04-30 System and method for application level security
PCT/US2010/033193 WO2010135068A1 (en) 2009-05-19 2010-04-30 Systems and methods for application-level security
EP10778096.7A EP2433215A4 (en) 2009-05-19 2010-04-30 Systems and methods for application-level security
CA2762429A CA2762429A1 (en) 2009-05-19 2010-04-30 Systems and methods for application-level security
AU2010250015A AU2010250015A1 (en) 2009-05-19 2010-04-30 Systems and methods for application-level security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US12/468,739 US8356001B2 (en) 2009-05-19 2009-05-19 Systems and methods for application-level security

Publications (2)

Publication Number Publication Date
US20100299292A1 true US20100299292A1 (en) 2010-11-25
US8356001B2 US8356001B2 (en) 2013-01-15

Family

ID=43125243

Family Applications (1)

Application Number Title Priority Date Filing Date
US12/468,739 Expired - Fee Related US8356001B2 (en) 2009-05-19 2009-05-19 Systems and methods for application-level security

Country Status (6)

Country Link
US (1) US8356001B2 (en)
EP (1) EP2433215A4 (en)
JP (1) JP2012527691A (en)
AU (1) AU2010250015A1 (en)
CA (1) CA2762429A1 (en)
WO (1) WO2010135068A1 (en)

Cited By (113)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110023118A1 (en) * 2009-07-21 2011-01-27 Wright Clifford C Behavioral-based host intrusion prevention system
US20110023115A1 (en) * 2009-07-21 2011-01-27 Wright Clifford C Host intrusion prevention system using software and user behavior analysis
US20110321164A1 (en) * 2010-06-28 2011-12-29 Infosys Technologies Limited Method and system for adaptive vulnerability scanning of an application
US20120030767A1 (en) * 2010-07-29 2012-02-02 Accenture Global Services Limited. System and method for performing threat assessments using situational awareness
US20120278179A1 (en) * 2011-04-28 2012-11-01 Ray Campbell Systems and methods for deducing user information from input device behavior
WO2013028794A2 (en) 2011-08-25 2013-02-28 T-Mobile Usa, Inc. Multi-factor identity fingerprinting with user behavior
US20130133033A1 (en) * 2011-11-23 2013-05-23 Marc E. Davis Behavioral fingerprint controlled automatic task determination
US20130167207A1 (en) * 2011-09-24 2013-06-27 Marc E. Davis Network Acquired Behavioral Fingerprint for Authentication
US8484741B1 (en) 2012-01-27 2013-07-09 Chapman Technology Group, Inc. Software service to facilitate organizational testing of employees to determine their potential susceptibility to phishing scams
US20130191887A1 (en) * 2011-10-13 2013-07-25 Marc E. Davis Social network based trust verification Schema
US8555077B2 (en) 2011-11-23 2013-10-08 Elwha Llc Determining device identity using a behavioral fingerprint
US20130304677A1 (en) * 2012-05-14 2013-11-14 Qualcomm Incorporated Architecture for Client-Cloud Behavior Analyzer
US8615807B1 (en) 2013-02-08 2013-12-24 PhishMe, Inc. Simulated phishing attack with sequential messages
US8635703B1 (en) 2013-02-08 2014-01-21 PhishMe, Inc. Performance benchmarking for simulated phishing attacks
US8689350B2 (en) * 2011-09-24 2014-04-01 Elwha Llc Behavioral fingerprint controlled theft detection and recovery
US8713704B2 (en) 2011-09-24 2014-04-29 Elwha Llc Behavioral fingerprint based authentication
US8719940B1 (en) 2013-02-08 2014-05-06 PhishMe, Inc. Collaborative phishing attack detection
US20140279767A1 (en) * 2013-03-14 2014-09-18 Telmate, Llc Determining a threat level for one or more individuals
US8918834B1 (en) * 2010-12-17 2014-12-23 Amazon Technologies, Inc. Creating custom policies in a remote-computing environment
US20140379906A1 (en) * 2012-02-03 2014-12-25 Innometrics Ab Method for tracking user interaction with a web page
US20150052594A1 (en) * 2011-08-05 2015-02-19 Safefaces LLC Methods and systems for identity verification in a social network using ratings
US20150058162A1 (en) * 2011-08-18 2015-02-26 Visa International Service Association Remote Decoupled Application persistent State Apparatuses, Methods and Systems
US20150106933A1 (en) * 2013-10-15 2015-04-16 Penta Security Systems Inc. Device for detecting cyber attack based on event analysis and method thereof
US9015860B2 (en) 2011-09-24 2015-04-21 Elwha Llc Behavioral fingerprinting via derived personal relation
US20150142962A1 (en) * 2013-10-21 2015-05-21 Nyansa, Inc. System and method for observing and controlling a programmable network using cross network learning
US9083687B2 (en) 2011-09-24 2015-07-14 Elwha Llc Multi-device behavioral fingerprinting
US9143517B2 (en) 2013-01-31 2015-09-22 Hewlett-Packard Development Company, L.P. Threat exchange information protection
US9152787B2 (en) 2012-05-14 2015-10-06 Qualcomm Incorporated Adaptive observation of behavioral features on a heterogeneous platform
US9262629B2 (en) 2014-01-21 2016-02-16 PhishMe, Inc. Methods and systems for preventing malicious use of phishing simulation records
US9275348B2 (en) 2013-01-31 2016-03-01 Hewlett Packard Enterprise Development Lp Identifying participants for collaboration in a threat exchange community
US9298494B2 (en) 2012-05-14 2016-03-29 Qualcomm Incorporated Collaborative learning for efficient behavioral analysis in networked mobile device
US9298900B2 (en) 2011-09-24 2016-03-29 Elwha Llc Behavioral fingerprinting via inferred personal relation
US20160094577A1 (en) * 2014-09-25 2016-03-31 Oracle International Corporation Privileged session analytics
US9319897B2 (en) 2012-08-15 2016-04-19 Qualcomm Incorporated Secure behavior analysis over trusted execution environment
US9325730B2 (en) 2013-02-08 2016-04-26 PhishMe, Inc. Collaborative phishing attack detection
US9324034B2 (en) 2012-05-14 2016-04-26 Qualcomm Incorporated On-device real-time behavior analyzer
US9330257B2 (en) 2012-08-15 2016-05-03 Qualcomm Incorporated Adaptive observation of behavioral features on a mobile device
US9336388B2 (en) * 2012-12-10 2016-05-10 Palo Alto Research Center Incorporated Method and system for thwarting insider attacks through informational network analysis
US20160188884A1 (en) * 2014-12-29 2016-06-30 International Business Machines Corporation Application Decomposition Using Data Obtained From External Tools For Use In Threat Modeling
US9398038B2 (en) 2013-02-08 2016-07-19 PhishMe, Inc. Collaborative phishing attack detection
US9456001B2 (en) 2013-01-31 2016-09-27 Hewlett Packard Enterprise Development Lp Attack notification
US9491187B2 (en) 2013-02-15 2016-11-08 Qualcomm Incorporated APIs for obtaining device-specific behavior classifier models from the cloud
US9495537B2 (en) 2012-08-15 2016-11-15 Qualcomm Incorporated Adaptive observation of behavioral features on a mobile device
US20170078315A1 (en) * 2015-09-11 2017-03-16 Beyondtrust Software, Inc. Systems and methods for detecting vulnerabilities and privileged access using cluster outliers
US20170085587A1 (en) * 2010-11-29 2017-03-23 Biocatch Ltd. Device, method, and system of generating fraud-alerts for cyber-attacks
US9609456B2 (en) 2012-05-14 2017-03-28 Qualcomm Incorporated Methods, devices, and systems for communicating behavioral analysis information
US9621404B2 (en) 2011-09-24 2017-04-11 Elwha Llc Behavioral fingerprinting with social networking
US20170154183A1 (en) * 2015-11-30 2017-06-01 Jpmorgan Chase Bank, N.A. Systems and Methods for Software Security Scanning Employing a Scan Quality Index
US9684870B2 (en) 2013-01-02 2017-06-20 Qualcomm Incorporated Methods and systems of using boosted decision stumps and joint feature selection and culling algorithms for the efficient classification of mobile device behaviors
US9686023B2 (en) 2013-01-02 2017-06-20 Qualcomm Incorporated Methods and systems of dynamically generating and using device-specific and device-state-specific classifier models for the efficient classification of mobile device behaviors
US9690635B2 (en) 2012-05-14 2017-06-27 Qualcomm Incorporated Communicating behavior information in a mobile computing device
US9699207B2 (en) 2015-02-05 2017-07-04 Phishline, Llc Social engineering simulation workflow appliance
US9729549B2 (en) 2011-09-24 2017-08-08 Elwha Llc Behavioral fingerprinting with adaptive development
US9729505B2 (en) 2013-01-31 2017-08-08 Entit Software Llc Security threat analysis
EP3206153A1 (en) * 2016-02-09 2017-08-16 Darktrace Limited Cyber security
US9742559B2 (en) 2013-01-22 2017-08-22 Qualcomm Incorporated Inter-module authentication for securing application execution integrity within a computing device
US9747440B2 (en) 2012-08-15 2017-08-29 Qualcomm Incorporated On-line behavioral analysis engine in mobile device with multiple analyzer model providers
US9825967B2 (en) 2011-09-24 2017-11-21 Elwha Llc Behavioral fingerprinting via social networking interaction
US9824199B2 (en) 2011-08-25 2017-11-21 T-Mobile Usa, Inc. Multi-factor profile and security fingerprint analysis
US9906554B2 (en) 2015-04-10 2018-02-27 PhishMe, Inc. Suspicious message processing and incident response
US20180115542A1 (en) * 2016-10-24 2018-04-26 Caradigm Usa Llc Security mechanism for multi-tiered server-implemented applications
US9959531B2 (en) 2011-08-18 2018-05-01 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US10089582B2 (en) 2013-01-02 2018-10-02 Qualcomm Incorporated Using normalized confidence values for classifying mobile device behaviors
US10121129B2 (en) 2011-07-05 2018-11-06 Visa International Service Association Electronic wallet checkout platform apparatuses, methods and systems
US10154084B2 (en) 2011-07-05 2018-12-11 Visa International Service Association Hybrid applications utilizing distributed models and views apparatuses, methods and systems
US10168413B2 (en) 2011-03-25 2019-01-01 T-Mobile Usa, Inc. Service enhancements using near field communication
US10193741B2 (en) 2016-04-18 2019-01-29 Nyansa, Inc. System and method for network incident identification and analysis
US10200267B2 (en) 2016-04-18 2019-02-05 Nyansa, Inc. System and method for client network congestion detection, analysis, and management
US10212391B2 (en) * 2014-10-21 2019-02-19 Haedenbridge Co., Ltd. Method and system for providing large-scale group communications
US10223691B2 (en) 2011-02-22 2019-03-05 Visa International Service Association Universal electronic payment apparatuses, methods and systems
US10223730B2 (en) 2011-09-23 2019-03-05 Visa International Service Association E-wallet store injection search apparatuses, methods and systems
US10230609B2 (en) 2016-04-18 2019-03-12 Nyansa, Inc. System and method for using real-time packet data to detect and manage network issues
US10237298B1 (en) * 2014-06-17 2019-03-19 Wells Fargo Bank, N.A. Session management
US10256979B2 (en) 2012-06-05 2019-04-09 Lookout, Inc. Assessing application authenticity and performing an action in response to an evaluation result
US10263996B1 (en) * 2018-08-13 2019-04-16 Capital One Services, Llc Detecting fraudulent user access to online web services via user flow
US10262001B2 (en) 2012-02-02 2019-04-16 Visa International Service Association Multi-source, multi-dimensional, cross-entity, multimedia merchant analytics database platform apparatuses, methods and systems
US10333990B2 (en) 2006-09-13 2019-06-25 Sophos Limited Policy management
US10482404B2 (en) 2014-09-25 2019-11-19 Oracle International Corporation Delegated privileged access grants
JP2019533851A (en) * 2016-07-22 2019-11-21 アリババ グループ ホウルディング リミテッド Aggregation of service data for transmission and risk analysis
US10540494B2 (en) 2015-05-01 2020-01-21 Lookout, Inc. Determining source of side-loaded software using an administrator server
US10586227B2 (en) 2011-02-16 2020-03-10 Visa International Service Association Snap mobile payment apparatuses, methods and systems
US10601850B2 (en) 2015-03-02 2020-03-24 Alibaba Group Holding Limited Identifying risky user behaviors in computer networks
US10635817B2 (en) 2013-01-31 2020-04-28 Micro Focus Llc Targeted security alerts
US10666494B2 (en) 2017-11-10 2020-05-26 Nyansa, Inc. System and method for network incident remediation recommendations
US10776463B2 (en) * 2015-08-12 2020-09-15 Kryptowire LLC Active authentication of users
CN111831881A (en) * 2020-07-04 2020-10-27 西安交通大学 Malicious crawler detection method based on website traffic log data and optimized spectral clustering algorithm
US10825001B2 (en) 2011-08-18 2020-11-03 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US20200356663A1 (en) * 2018-01-18 2020-11-12 Risksense, Inc. Complex Application Attack Quantification, Testing, Detection and Prevention
EP3211854B1 (en) * 2016-02-25 2020-12-02 Darktrace Limited Cyber security
US10929923B1 (en) 2014-06-17 2021-02-23 Wells Fargo Bank, N.A. Security scoring
US10949542B2 (en) 2018-11-25 2021-03-16 International Business Machines Corporation Self-evolved adjustment framework for cloud-based large system based on machine learning
US10977361B2 (en) 2017-05-16 2021-04-13 Beyondtrust Software, Inc. Systems and methods for controlling privileged operations
US10986121B2 (en) 2019-01-24 2021-04-20 Darktrace Limited Multivariate network structure anomaly detector
US11037138B2 (en) 2011-08-18 2021-06-15 Visa International Service Association Third-party value added wallet features and interfaces apparatuses, methods, and systems
US11038876B2 (en) 2017-06-09 2021-06-15 Lookout, Inc. Managing access to services based on fingerprint matching
US11075932B2 (en) 2018-02-20 2021-07-27 Darktrace Holdings Limited Appliance extension for remote communication with a cyber security appliance
US11108817B2 (en) * 2018-03-30 2021-08-31 Beijing Baidu Netcom Science And Technology Co., Ltd. SQL injection interception detection method and device, apparatus and computer readable medium
US20210329030A1 (en) * 2010-11-29 2021-10-21 Biocatch Ltd. Device, System, and Method of Detecting Vishing Attacks
WO2021228659A1 (en) * 2020-05-13 2021-11-18 Netacea Limited Method of processing a new visitor session to a web-based system
US11288661B2 (en) 2011-02-16 2022-03-29 Visa International Service Association Snap mobile payment apparatuses, methods and systems
US11405412B2 (en) * 2019-12-30 2022-08-02 Imperva, Inc. Inline anomaly detection for multi-request operations
US11463457B2 (en) 2018-02-20 2022-10-04 Darktrace Holdings Limited Artificial intelligence (AI) based cyber threat analyst to support a cyber security appliance
US11470103B2 (en) 2016-02-09 2022-10-11 Darktrace Holdings Limited Anomaly alert system for cyber threat detection
US11477222B2 (en) 2018-02-20 2022-10-18 Darktrace Holdings Limited Cyber threat defense system protecting email networks with machine learning models using a range of metadata from observed email communications
US11528149B2 (en) 2019-04-26 2022-12-13 Beyondtrust Software, Inc. Root-level application selective configuration
US20230031182A1 (en) * 2019-02-04 2023-02-02 802 Secure, Inc. Zero Trust Wireless Monitoring - System and Method for Behavior Based Monitoring of Radio Frequency Environments
US20230045301A1 (en) * 2021-08-09 2023-02-09 Bank Of America Corporation Scheme evaluation authentication system
US11620396B2 (en) 2017-09-12 2023-04-04 Sophos Limited Secure firewall configurations
US11693964B2 (en) 2014-08-04 2023-07-04 Darktrace Holdings Limited Cyber security using one or more models trained on a normal behavior
US11709944B2 (en) 2019-08-29 2023-07-25 Darktrace Holdings Limited Intelligent adversary simulator
US11729283B2 (en) * 2018-07-03 2023-08-15 Naver Corporation Apparatus for analysing online user behavior and method for the same
US11924238B2 (en) 2018-02-20 2024-03-05 Darktrace Holdings Limited Cyber threat defense system, components, and a method for using artificial intelligence models trained on a normal pattern of life for systems with unusual data sources
US11936667B2 (en) 2021-02-26 2024-03-19 Darktrace Holdings Limited Cyber security system applying network sequence prediction using transformers

Families Citing this family (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8966036B1 (en) * 2010-11-24 2015-02-24 Google Inc. Method and system for website user account management based on event transition matrixes
EP2492832B1 (en) * 2011-02-22 2021-08-18 Siemens Healthcare GmbH Optimisation of a software application implemented on a client server system
US8793790B2 (en) * 2011-10-11 2014-07-29 Honeywell International Inc. System and method for insider threat detection
US9280669B2 (en) 2012-05-11 2016-03-08 Infosys Limited Systems, methods and computer readable media for calculating a security index of an application hosted in a cloud environment
US9300682B2 (en) 2013-08-09 2016-03-29 Lockheed Martin Corporation Composite analysis of executable content across enterprise network
JP6208029B2 (en) * 2014-01-30 2017-10-04 株式会社日立製作所 Monitoring device for business system and control method for monitoring device
JP2016038627A (en) * 2014-08-05 2016-03-22 Kddi株式会社 Monitoring system, observation apparatus, analyzer, monitoring method, and computer program
US9680832B1 (en) 2014-12-30 2017-06-13 Juniper Networks, Inc. Using a probability-based model to detect random content in a protocol field associated with network traffic
CN106598972B (en) * 2015-10-14 2020-05-08 阿里巴巴集团控股有限公司 Information display method and device and intelligent terminal
CN106789831B (en) 2015-11-19 2020-10-23 阿里巴巴集团控股有限公司 Method and device for identifying network attack
US10970395B1 (en) 2018-01-18 2021-04-06 Pure Storage, Inc Security threat monitoring for a storage system
US11010233B1 (en) 2018-01-18 2021-05-18 Pure Storage, Inc Hardware-based system monitoring
CN108989095B (en) * 2018-06-28 2021-03-23 安徽大学 Public cloud credibility evaluation method capable of resisting malicious evaluation and evaluation system thereof
WO2020117681A1 (en) 2018-12-03 2020-06-11 Salesforce.Com, Inc. Automated operations management for computer systems
US11163889B2 (en) 2019-06-14 2021-11-02 Bank Of America Corporation System and method for analyzing and remediating computer application vulnerabilities via multidimensional correlation and prioritization
US11645162B2 (en) 2019-11-22 2023-05-09 Pure Storage, Inc. Recovery point determination for data restoration in a storage system
US11651075B2 (en) 2019-11-22 2023-05-16 Pure Storage, Inc. Extensible attack monitoring by a storage system
US11720714B2 (en) 2019-11-22 2023-08-08 Pure Storage, Inc. Inter-I/O relationship based detection of a security threat to a storage system
US11625481B2 (en) 2019-11-22 2023-04-11 Pure Storage, Inc. Selective throttling of operations potentially related to a security threat to a storage system
US11657155B2 (en) 2019-11-22 2023-05-23 Pure Storage, Inc Snapshot delta metric based determination of a possible ransomware attack against data maintained by a storage system
US11500788B2 (en) 2019-11-22 2022-11-15 Pure Storage, Inc. Logical address based authorization of operations with respect to a storage system
US11720692B2 (en) 2019-11-22 2023-08-08 Pure Storage, Inc. Hardware token based management of recovery datasets for a storage system
US11675898B2 (en) 2019-11-22 2023-06-13 Pure Storage, Inc. Recovery dataset management for security threat monitoring
US11615185B2 (en) 2019-11-22 2023-03-28 Pure Storage, Inc. Multi-layer security threat detection for a storage system
US11341236B2 (en) 2019-11-22 2022-05-24 Pure Storage, Inc. Traffic-based detection of a security threat to a storage system
US11520907B1 (en) 2019-11-22 2022-12-06 Pure Storage, Inc. Storage system snapshot retention based on encrypted data
US11755751B2 (en) 2019-11-22 2023-09-12 Pure Storage, Inc. Modify access restrictions in response to a possible attack against data stored by a storage system
US11687418B2 (en) 2019-11-22 2023-06-27 Pure Storage, Inc. Automatic generation of recovery plans specific to individual storage elements
US11930025B2 (en) 2021-04-15 2024-03-12 Bank Of America Corporation Threat detection and prevention for information systems
US11785025B2 (en) 2021-04-15 2023-10-10 Bank Of America Corporation Threat detection within information systems

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030172166A1 (en) * 2002-03-08 2003-09-11 Paul Judge Systems and methods for enhancing electronic communication security
US20060179296A1 (en) * 2004-10-15 2006-08-10 Protegrity Corporation Cooperative processing and escalation in a multi-node application-layer security system and method
US7307999B1 (en) * 2001-02-16 2007-12-11 Bbn Technologies Corp. Systems and methods that identify normal traffic during network attacks
US20090100518A1 (en) * 2007-09-21 2009-04-16 Kevin Overcash System and method for detecting security defects in applications

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6405318B1 (en) * 1999-03-12 2002-06-11 Psionic Software, Inc. Intrusion detection system
US7096498B2 (en) * 2002-03-08 2006-08-22 Cipher Trust, Inc. Systems and methods for message threat management
WO2004084063A1 (en) * 2003-03-17 2004-09-30 Seiko Epson Corporation Method and system for preventing virus infection
JP4371905B2 (en) * 2004-05-27 2009-11-25 富士通株式会社 Unauthorized access detection device, unauthorized access detection method, unauthorized access detection program, and distributed service disablement attack detection device
JP2007047884A (en) * 2005-08-05 2007-02-22 Recruit Co Ltd Information processing system
US8272033B2 (en) * 2006-12-21 2012-09-18 International Business Machines Corporation User authentication for detecting and controlling fraudulent login behavior
JP4843546B2 (en) * 2007-03-30 2011-12-21 ヤフー株式会社 Information leakage monitoring system and information leakage monitoring method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7307999B1 (en) * 2001-02-16 2007-12-11 Bbn Technologies Corp. Systems and methods that identify normal traffic during network attacks
US20030172166A1 (en) * 2002-03-08 2003-09-11 Paul Judge Systems and methods for enhancing electronic communication security
US20060179296A1 (en) * 2004-10-15 2006-08-10 Protegrity Corporation Cooperative processing and escalation in a multi-node application-layer security system and method
US20090100518A1 (en) * 2007-09-21 2009-04-16 Kevin Overcash System and method for detecting security defects in applications

Cited By (208)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10979459B2 (en) 2006-09-13 2021-04-13 Sophos Limited Policy management
US10333989B2 (en) 2006-09-13 2019-06-25 Sophos Limited Policy management
US10333990B2 (en) 2006-09-13 2019-06-25 Sophos Limited Policy management
US20110023115A1 (en) * 2009-07-21 2011-01-27 Wright Clifford C Host intrusion prevention system using software and user behavior analysis
US20110023118A1 (en) * 2009-07-21 2011-01-27 Wright Clifford C Behavioral-based host intrusion prevention system
US8776218B2 (en) 2009-07-21 2014-07-08 Sophos Limited Behavioral-based host intrusion prevention system
US8607340B2 (en) * 2009-07-21 2013-12-10 Sophos Limited Host intrusion prevention system using software and user behavior analysis
US9210182B2 (en) 2009-07-21 2015-12-08 Sophos Limited Behavioral-based host intrusion prevention system
US20110321164A1 (en) * 2010-06-28 2011-12-29 Infosys Technologies Limited Method and system for adaptive vulnerability scanning of an application
US8839441B2 (en) * 2010-06-28 2014-09-16 Infosys Limited Method and system for adaptive vulnerability scanning of an application
US20120030767A1 (en) * 2010-07-29 2012-02-02 Accenture Global Services Limited. System and method for performing threat assessments using situational awareness
US8607353B2 (en) * 2010-07-29 2013-12-10 Accenture Global Services Gmbh System and method for performing threat assessments using situational awareness
US20170085587A1 (en) * 2010-11-29 2017-03-23 Biocatch Ltd. Device, method, and system of generating fraud-alerts for cyber-attacks
US11838118B2 (en) * 2010-11-29 2023-12-05 Biocatch Ltd. Device, system, and method of detecting vishing attacks
US10404729B2 (en) * 2010-11-29 2019-09-03 Biocatch Ltd. Device, method, and system of generating fraud-alerts for cyber-attacks
US20210329030A1 (en) * 2010-11-29 2021-10-21 Biocatch Ltd. Device, System, and Method of Detecting Vishing Attacks
US8918834B1 (en) * 2010-12-17 2014-12-23 Amazon Technologies, Inc. Creating custom policies in a remote-computing environment
US10586227B2 (en) 2011-02-16 2020-03-10 Visa International Service Association Snap mobile payment apparatuses, methods and systems
US11288661B2 (en) 2011-02-16 2022-03-29 Visa International Service Association Snap mobile payment apparatuses, methods and systems
US10223691B2 (en) 2011-02-22 2019-03-05 Visa International Service Association Universal electronic payment apparatuses, methods and systems
US11023886B2 (en) 2011-02-22 2021-06-01 Visa International Service Association Universal electronic payment apparatuses, methods and systems
US10168413B2 (en) 2011-03-25 2019-01-01 T-Mobile Usa, Inc. Service enhancements using near field communication
US11002822B2 (en) 2011-03-25 2021-05-11 T-Mobile Usa, Inc. Service enhancements using near field communication
US11270342B2 (en) * 2011-04-28 2022-03-08 Rovi Guides, Inc. Systems and methods for deducing user information from input device behavior
US20120278179A1 (en) * 2011-04-28 2012-11-01 Ray Campbell Systems and methods for deducing user information from input device behavior
US20190026776A1 (en) * 2011-04-28 2019-01-24 Rovi Guides, Inc. Systems and methods for deducing user information from input device behavior
US10121129B2 (en) 2011-07-05 2018-11-06 Visa International Service Association Electronic wallet checkout platform apparatuses, methods and systems
US11010753B2 (en) 2011-07-05 2021-05-18 Visa International Service Association Electronic wallet checkout platform apparatuses, methods and systems
US10154084B2 (en) 2011-07-05 2018-12-11 Visa International Service Association Hybrid applications utilizing distributed models and views apparatuses, methods and systems
US11900359B2 (en) 2011-07-05 2024-02-13 Visa International Service Association Electronic wallet checkout platform apparatuses, methods and systems
US10803449B2 (en) 2011-07-05 2020-10-13 Visa International Service Association Electronic wallet checkout platform apparatuses, methods and systems
US10419529B2 (en) 2011-07-05 2019-09-17 Visa International Service Association Hybrid applications utilizing distributed models and views apparatuses, methods and systems
US9282090B2 (en) * 2011-08-05 2016-03-08 Safefaces LLC Methods and systems for identity verification in a social network using ratings
US20150052594A1 (en) * 2011-08-05 2015-02-19 Safefaces LLC Methods and systems for identity verification in a social network using ratings
US10242358B2 (en) * 2011-08-18 2019-03-26 Visa International Service Association Remote decoupled application persistent state apparatuses, methods and systems
US11010756B2 (en) 2011-08-18 2021-05-18 Visa International Service Association Remote decoupled application persistent state apparatuses, methods and systems
US11037138B2 (en) 2011-08-18 2021-06-15 Visa International Service Association Third-party value added wallet features and interfaces apparatuses, methods, and systems
US11763294B2 (en) 2011-08-18 2023-09-19 Visa International Service Association Remote decoupled application persistent state apparatuses, methods and systems
US10825001B2 (en) 2011-08-18 2020-11-03 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US11803825B2 (en) 2011-08-18 2023-10-31 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US11397931B2 (en) 2011-08-18 2022-07-26 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US20150058162A1 (en) * 2011-08-18 2015-02-26 Visa International Service Association Remote Decoupled Application persistent State Apparatuses, Methods and Systems
US10354240B2 (en) 2011-08-18 2019-07-16 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US9959531B2 (en) 2011-08-18 2018-05-01 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US20130054433A1 (en) * 2011-08-25 2013-02-28 T-Mobile Usa, Inc. Multi-Factor Identity Fingerprinting with User Behavior
US11138300B2 (en) 2011-08-25 2021-10-05 T-Mobile Usa, Inc. Multi-factor profile and security fingerprint analysis
EP2748781A4 (en) * 2011-08-25 2015-03-04 T Mobile Usa Inc Multi-factor identity fingerprinting with user behavior
WO2013028794A2 (en) 2011-08-25 2013-02-28 T-Mobile Usa, Inc. Multi-factor identity fingerprinting with user behavior
US9824199B2 (en) 2011-08-25 2017-11-21 T-Mobile Usa, Inc. Multi-factor profile and security fingerprint analysis
US11354723B2 (en) 2011-09-23 2022-06-07 Visa International Service Association Smart shopping cart with E-wallet store injection search
US10223730B2 (en) 2011-09-23 2019-03-05 Visa International Service Association E-wallet store injection search apparatuses, methods and systems
US9298900B2 (en) 2011-09-24 2016-03-29 Elwha Llc Behavioral fingerprinting via inferred personal relation
US8869241B2 (en) * 2011-09-24 2014-10-21 Elwha Llc Network acquired behavioral fingerprint for authentication
US9729549B2 (en) 2011-09-24 2017-08-08 Elwha Llc Behavioral fingerprinting with adaptive development
US20130167207A1 (en) * 2011-09-24 2013-06-27 Marc E. Davis Network Acquired Behavioral Fingerprint for Authentication
US9825967B2 (en) 2011-09-24 2017-11-21 Elwha Llc Behavioral fingerprinting via social networking interaction
US9621404B2 (en) 2011-09-24 2017-04-11 Elwha Llc Behavioral fingerprinting with social networking
US9015860B2 (en) 2011-09-24 2015-04-21 Elwha Llc Behavioral fingerprinting via derived personal relation
US9083687B2 (en) 2011-09-24 2015-07-14 Elwha Llc Multi-device behavioral fingerprinting
US8713704B2 (en) 2011-09-24 2014-04-29 Elwha Llc Behavioral fingerprint based authentication
US8688980B2 (en) 2011-09-24 2014-04-01 Elwha Llc Trust verification schema based transaction authorization
US8689350B2 (en) * 2011-09-24 2014-04-01 Elwha Llc Behavioral fingerprint controlled theft detection and recovery
US20130191887A1 (en) * 2011-10-13 2013-07-25 Marc E. Davis Social network based trust verification Schema
US8555077B2 (en) 2011-11-23 2013-10-08 Elwha Llc Determining device identity using a behavioral fingerprint
US9348985B2 (en) * 2011-11-23 2016-05-24 Elwha Llc Behavioral fingerprint controlled automatic task determination
US20130133033A1 (en) * 2011-11-23 2013-05-23 Marc E. Davis Behavioral fingerprint controlled automatic task determination
US9224117B2 (en) 2012-01-27 2015-12-29 Phishline, Llc Software service to facilitate organizational testing of employees to determine their potential susceptibility to phishing scams
US9881271B2 (en) 2012-01-27 2018-01-30 Phishline, Llc Software service to facilitate organizational testing of employees to determine their potential susceptibility to phishing scams
US8484741B1 (en) 2012-01-27 2013-07-09 Chapman Technology Group, Inc. Software service to facilitate organizational testing of employees to determine their potential susceptibility to phishing scams
US11074218B2 (en) 2012-02-02 2021-07-27 Visa International Service Association Multi-source, multi-dimensional, cross-entity, multimedia merchant analytics database platform apparatuses, methods and systems
US11036681B2 (en) 2012-02-02 2021-06-15 Visa International Service Association Multi-source, multi-dimensional, cross-entity, multimedia analytical model sharing database platform apparatuses, methods and systems
US10983960B2 (en) 2012-02-02 2021-04-20 Visa International Service Association Multi-source, multi-dimensional, cross-entity, multimedia centralized personal information database platform apparatuses, methods and systems
US10262001B2 (en) 2012-02-02 2019-04-16 Visa International Service Association Multi-source, multi-dimensional, cross-entity, multimedia merchant analytics database platform apparatuses, methods and systems
US10430381B2 (en) 2012-02-02 2019-10-01 Visa International Service Association Multi-source, multi-dimensional, cross-entity, multimedia centralized personal information database platform apparatuses, methods and systems
US20140379906A1 (en) * 2012-02-03 2014-12-25 Innometrics Ab Method for tracking user interaction with a web page
US9292685B2 (en) 2012-05-14 2016-03-22 Qualcomm Incorporated Techniques for autonomic reverting to behavioral checkpoints
US9189624B2 (en) 2012-05-14 2015-11-17 Qualcomm Incorporated Adaptive observation of behavioral features on a heterogeneous platform
US9298494B2 (en) 2012-05-14 2016-03-29 Qualcomm Incorporated Collaborative learning for efficient behavioral analysis in networked mobile device
US9324034B2 (en) 2012-05-14 2016-04-26 Qualcomm Incorporated On-device real-time behavior analyzer
US20130304677A1 (en) * 2012-05-14 2013-11-14 Qualcomm Incorporated Architecture for Client-Cloud Behavior Analyzer
US9349001B2 (en) 2012-05-14 2016-05-24 Qualcomm Incorporated Methods and systems for minimizing latency of behavioral analysis
US9690635B2 (en) 2012-05-14 2017-06-27 Qualcomm Incorporated Communicating behavior information in a mobile computing device
US9202047B2 (en) 2012-05-14 2015-12-01 Qualcomm Incorporated System, apparatus, and method for adaptive observation of mobile device behavior
US9609456B2 (en) 2012-05-14 2017-03-28 Qualcomm Incorporated Methods, devices, and systems for communicating behavioral analysis information
US9152787B2 (en) 2012-05-14 2015-10-06 Qualcomm Incorporated Adaptive observation of behavioral features on a heterogeneous platform
US9898602B2 (en) 2012-05-14 2018-02-20 Qualcomm Incorporated System, apparatus, and method for adaptive observation of mobile device behavior
US10256979B2 (en) 2012-06-05 2019-04-09 Lookout, Inc. Assessing application authenticity and performing an action in response to an evaluation result
US10419222B2 (en) * 2012-06-05 2019-09-17 Lookout, Inc. Monitoring for fraudulent or harmful behavior in applications being installed on user devices
US11336458B2 (en) * 2012-06-05 2022-05-17 Lookout, Inc. Evaluating authenticity of applications based on assessing user device context for increased security
US9747440B2 (en) 2012-08-15 2017-08-29 Qualcomm Incorporated On-line behavioral analysis engine in mobile device with multiple analyzer model providers
US9495537B2 (en) 2012-08-15 2016-11-15 Qualcomm Incorporated Adaptive observation of behavioral features on a mobile device
US9330257B2 (en) 2012-08-15 2016-05-03 Qualcomm Incorporated Adaptive observation of behavioral features on a mobile device
US9319897B2 (en) 2012-08-15 2016-04-19 Qualcomm Incorporated Secure behavior analysis over trusted execution environment
US9336388B2 (en) * 2012-12-10 2016-05-10 Palo Alto Research Center Incorporated Method and system for thwarting insider attacks through informational network analysis
US10089582B2 (en) 2013-01-02 2018-10-02 Qualcomm Incorporated Using normalized confidence values for classifying mobile device behaviors
US9686023B2 (en) 2013-01-02 2017-06-20 Qualcomm Incorporated Methods and systems of dynamically generating and using device-specific and device-state-specific classifier models for the efficient classification of mobile device behaviors
US9684870B2 (en) 2013-01-02 2017-06-20 Qualcomm Incorporated Methods and systems of using boosted decision stumps and joint feature selection and culling algorithms for the efficient classification of mobile device behaviors
US9742559B2 (en) 2013-01-22 2017-08-22 Qualcomm Incorporated Inter-module authentication for securing application execution integrity within a computing device
US9143517B2 (en) 2013-01-31 2015-09-22 Hewlett-Packard Development Company, L.P. Threat exchange information protection
US9275348B2 (en) 2013-01-31 2016-03-01 Hewlett Packard Enterprise Development Lp Identifying participants for collaboration in a threat exchange community
US9456001B2 (en) 2013-01-31 2016-09-27 Hewlett Packard Enterprise Development Lp Attack notification
US9729505B2 (en) 2013-01-31 2017-08-08 Entit Software Llc Security threat analysis
US10635817B2 (en) 2013-01-31 2020-04-28 Micro Focus Llc Targeted security alerts
US9325730B2 (en) 2013-02-08 2016-04-26 PhishMe, Inc. Collaborative phishing attack detection
US8719940B1 (en) 2013-02-08 2014-05-06 PhishMe, Inc. Collaborative phishing attack detection
US9356948B2 (en) 2013-02-08 2016-05-31 PhishMe, Inc. Collaborative phishing attack detection
US9398038B2 (en) 2013-02-08 2016-07-19 PhishMe, Inc. Collaborative phishing attack detection
US9674221B1 (en) 2013-02-08 2017-06-06 PhishMe, Inc. Collaborative phishing attack detection
US8615807B1 (en) 2013-02-08 2013-12-24 PhishMe, Inc. Simulated phishing attack with sequential messages
US8966637B2 (en) 2013-02-08 2015-02-24 PhishMe, Inc. Performance benchmarking for simulated phishing attacks
US9591017B1 (en) 2013-02-08 2017-03-07 PhishMe, Inc. Collaborative phishing attack detection
US10187407B1 (en) 2013-02-08 2019-01-22 Cofense Inc. Collaborative phishing attack detection
US10819744B1 (en) 2013-02-08 2020-10-27 Cofense Inc Collaborative phishing attack detection
US9253207B2 (en) 2013-02-08 2016-02-02 PhishMe, Inc. Collaborative phishing attack detection
US9053326B2 (en) 2013-02-08 2015-06-09 PhishMe, Inc. Simulated phishing attack with sequential messages
US9667645B1 (en) 2013-02-08 2017-05-30 PhishMe, Inc. Performance benchmarking for simulated phishing attacks
US9246936B1 (en) 2013-02-08 2016-01-26 PhishMe, Inc. Performance benchmarking for simulated phishing attacks
US8635703B1 (en) 2013-02-08 2014-01-21 PhishMe, Inc. Performance benchmarking for simulated phishing attacks
US9491187B2 (en) 2013-02-15 2016-11-08 Qualcomm Incorporated APIs for obtaining device-specific behavior classifier models from the cloud
US20140279767A1 (en) * 2013-03-14 2014-09-18 Telmate, Llc Determining a threat level for one or more individuals
US9495636B2 (en) 2013-03-14 2016-11-15 Intelmate Llc Determining a threat level for one or more individuals
US9117171B2 (en) * 2013-03-14 2015-08-25 Intelmate Llc Determining a threat level for one or more individuals
US9817969B2 (en) * 2013-10-15 2017-11-14 Penta Security Systems Inc. Device for detecting cyber attack based on event analysis and method thereof
US20150106933A1 (en) * 2013-10-15 2015-04-16 Penta Security Systems Inc. Device for detecting cyber attack based on event analysis and method thereof
US10630547B2 (en) 2013-10-21 2020-04-21 Nyansa, Inc System and method for automatic closed loop control
US11374812B2 (en) 2013-10-21 2022-06-28 Vmware, Inc. System and method for observing and controlling a programmable network via higher layer attributes
US10601654B2 (en) 2013-10-21 2020-03-24 Nyansa, Inc. System and method for observing and controlling a programmable network using a remote network manager
US11469947B2 (en) 2013-10-21 2022-10-11 Vmware, Inc. System and method for observing and controlling a programmable network using cross network learning
US11916735B2 (en) 2013-10-21 2024-02-27 VMware LLC System and method for observing and controlling a programmable network using cross network learning
US20150142962A1 (en) * 2013-10-21 2015-05-21 Nyansa, Inc. System and method for observing and controlling a programmable network using cross network learning
US11469946B2 (en) 2013-10-21 2022-10-11 Vmware, Inc. System and method for observing and controlling a programmable network using time varying data collection
US9262629B2 (en) 2014-01-21 2016-02-16 PhishMe, Inc. Methods and systems for preventing malicious use of phishing simulation records
US10237298B1 (en) * 2014-06-17 2019-03-19 Wells Fargo Bank, N.A. Session management
US11848957B1 (en) * 2014-06-17 2023-12-19 Wells Fargo Bank, N.A. Session management
US10929923B1 (en) 2014-06-17 2021-02-23 Wells Fargo Bank, N.A. Security scoring
US11503068B1 (en) * 2014-06-17 2022-11-15 Wells Fargo Bank, N.A. Session management
US10284573B1 (en) * 2014-06-17 2019-05-07 Wells Fargo Bank, N.A. Friction management
US11693964B2 (en) 2014-08-04 2023-07-04 Darktrace Holdings Limited Cyber security using one or more models trained on a normal behavior
US20160094577A1 (en) * 2014-09-25 2016-03-31 Oracle International Corporation Privileged session analytics
US10530790B2 (en) * 2014-09-25 2020-01-07 Oracle International Corporation Privileged session analytics
US10482404B2 (en) 2014-09-25 2019-11-19 Oracle International Corporation Delegated privileged access grants
US10212391B2 (en) * 2014-10-21 2019-02-19 Haedenbridge Co., Ltd. Method and system for providing large-scale group communications
US20160188884A1 (en) * 2014-12-29 2016-06-30 International Business Machines Corporation Application Decomposition Using Data Obtained From External Tools For Use In Threat Modeling
US9871817B2 (en) 2015-02-05 2018-01-16 Phishline, Llc Social engineering simulation workflow appliance
US9699207B2 (en) 2015-02-05 2017-07-04 Phishline, Llc Social engineering simulation workflow appliance
US10601850B2 (en) 2015-03-02 2020-03-24 Alibaba Group Holding Limited Identifying risky user behaviors in computer networks
US9906539B2 (en) 2015-04-10 2018-02-27 PhishMe, Inc. Suspicious message processing and incident response
US9906554B2 (en) 2015-04-10 2018-02-27 PhishMe, Inc. Suspicious message processing and incident response
US10540494B2 (en) 2015-05-01 2020-01-21 Lookout, Inc. Determining source of side-loaded software using an administrator server
US11259183B2 (en) 2015-05-01 2022-02-22 Lookout, Inc. Determining a security state designation for a computing device based on a source of software
US10776463B2 (en) * 2015-08-12 2020-09-15 Kryptowire LLC Active authentication of users
US20170078315A1 (en) * 2015-09-11 2017-03-16 Beyondtrust Software, Inc. Systems and methods for detecting vulnerabilities and privileged access using cluster outliers
US10496818B2 (en) * 2015-11-30 2019-12-03 Jpmorgan Chase Bank, N.A. Systems and methods for software security scanning employing a scan quality index
US20170154183A1 (en) * 2015-11-30 2017-06-01 Jpmorgan Chase Bank, N.A. Systems and Methods for Software Security Scanning Employing a Scan Quality Index
EP4033387A1 (en) * 2016-02-09 2022-07-27 Darktrace Holdings Limited Cyber security
US10419466B2 (en) 2016-02-09 2019-09-17 Darktrace Limited Cyber security using a model of normal behavior for a group of entities
EP3206153A1 (en) * 2016-02-09 2017-08-16 Darktrace Limited Cyber security
US11470103B2 (en) 2016-02-09 2022-10-11 Darktrace Holdings Limited Anomaly alert system for cyber threat detection
EP3211854B1 (en) * 2016-02-25 2020-12-02 Darktrace Limited Cyber security
US10230609B2 (en) 2016-04-18 2019-03-12 Nyansa, Inc. System and method for using real-time packet data to detect and manage network issues
US10601691B2 (en) 2016-04-18 2020-03-24 Nyansa, Inc. System and method for using real-time packet data to detect and manage network issues
US11706115B2 (en) 2016-04-18 2023-07-18 Vmware, Inc. System and method for using real-time packet data to detect and manage network issues
US10193741B2 (en) 2016-04-18 2019-01-29 Nyansa, Inc. System and method for network incident identification and analysis
US11102102B2 (en) 2016-04-18 2021-08-24 Vmware, Inc. System and method for using real-time packet data to detect and manage network issues
US10200267B2 (en) 2016-04-18 2019-02-05 Nyansa, Inc. System and method for client network congestion detection, analysis, and management
JP2019533851A (en) * 2016-07-22 2019-11-21 アリババ グループ ホウルディング リミテッド Aggregation of service data for transmission and risk analysis
US20180115542A1 (en) * 2016-10-24 2018-04-26 Caradigm Usa Llc Security mechanism for multi-tiered server-implemented applications
US10977361B2 (en) 2017-05-16 2021-04-13 Beyondtrust Software, Inc. Systems and methods for controlling privileged operations
US11038876B2 (en) 2017-06-09 2021-06-15 Lookout, Inc. Managing access to services based on fingerprint matching
US11620396B2 (en) 2017-09-12 2023-04-04 Sophos Limited Secure firewall configurations
US10666494B2 (en) 2017-11-10 2020-05-26 Nyansa, Inc. System and method for network incident remediation recommendations
US11431550B2 (en) 2017-11-10 2022-08-30 Vmware, Inc. System and method for network incident remediation recommendations
US20200356663A1 (en) * 2018-01-18 2020-11-12 Risksense, Inc. Complex Application Attack Quantification, Testing, Detection and Prevention
US11689556B2 (en) 2018-02-20 2023-06-27 Darktrace Holdings Limited Incorporating software-as-a-service data into a cyber threat defense system
US11336669B2 (en) 2018-02-20 2022-05-17 Darktrace Holdings Limited Artificial intelligence cyber security analyst
US11463457B2 (en) 2018-02-20 2022-10-04 Darktrace Holdings Limited Artificial intelligence (AI) based cyber threat analyst to support a cyber security appliance
US11902321B2 (en) 2018-02-20 2024-02-13 Darktrace Holdings Limited Secure communication platform for a cybersecurity system
US11477219B2 (en) 2018-02-20 2022-10-18 Darktrace Holdings Limited Endpoint agent and system
US11075932B2 (en) 2018-02-20 2021-07-27 Darktrace Holdings Limited Appliance extension for remote communication with a cyber security appliance
US11336670B2 (en) 2018-02-20 2022-05-17 Darktrace Holdings Limited Secure communication platform for a cybersecurity system
US11522887B2 (en) 2018-02-20 2022-12-06 Darktrace Holdings Limited Artificial intelligence controller orchestrating network components for a cyber threat defense
US11843628B2 (en) 2018-02-20 2023-12-12 Darktrace Holdings Limited Cyber security appliance for an operational technology network
US11546360B2 (en) 2018-02-20 2023-01-03 Darktrace Holdings Limited Cyber security appliance for a cloud infrastructure
US11546359B2 (en) 2018-02-20 2023-01-03 Darktrace Holdings Limited Multidimensional clustering analysis and visualizing that clustered analysis on a user interface
US11457030B2 (en) 2018-02-20 2022-09-27 Darktrace Holdings Limited Artificial intelligence researcher assistant for cybersecurity analysis
US11799898B2 (en) 2018-02-20 2023-10-24 Darktrace Holdings Limited Method for sharing cybersecurity threat analysis and defensive measures amongst a community
US11606373B2 (en) 2018-02-20 2023-03-14 Darktrace Holdings Limited Cyber threat defense system protecting email networks with machine learning models
US11716347B2 (en) 2018-02-20 2023-08-01 Darktrace Holdings Limited Malicious site detection for a cyber threat response system
US11689557B2 (en) 2018-02-20 2023-06-27 Darktrace Holdings Limited Autonomous report composer
US11924238B2 (en) 2018-02-20 2024-03-05 Darktrace Holdings Limited Cyber threat defense system, components, and a method for using artificial intelligence models trained on a normal pattern of life for systems with unusual data sources
US11418523B2 (en) 2018-02-20 2022-08-16 Darktrace Holdings Limited Artificial intelligence privacy protection for cybersecurity analysis
US11477222B2 (en) 2018-02-20 2022-10-18 Darktrace Holdings Limited Cyber threat defense system protecting email networks with machine learning models using a range of metadata from observed email communications
US11108817B2 (en) * 2018-03-30 2021-08-31 Beijing Baidu Netcom Science And Technology Co., Ltd. SQL injection interception detection method and device, apparatus and computer readable medium
US11729283B2 (en) * 2018-07-03 2023-08-15 Naver Corporation Apparatus for analysing online user behavior and method for the same
US10666663B2 (en) 2018-08-13 2020-05-26 Capital One Services, Llc Detecting fraudulent user access to online web services via user flow
US10263996B1 (en) * 2018-08-13 2019-04-16 Capital One Services, Llc Detecting fraudulent user access to online web services via user flow
US10949542B2 (en) 2018-11-25 2021-03-16 International Business Machines Corporation Self-evolved adjustment framework for cloud-based large system based on machine learning
US10986121B2 (en) 2019-01-24 2021-04-20 Darktrace Limited Multivariate network structure anomaly detector
US11716623B2 (en) * 2019-02-04 2023-08-01 802 Secure, Inc. Zero trust wireless monitoring - system and method for behavior based monitoring of radio frequency environments
US20230031182A1 (en) * 2019-02-04 2023-02-02 802 Secure, Inc. Zero Trust Wireless Monitoring - System and Method for Behavior Based Monitoring of Radio Frequency Environments
US11528149B2 (en) 2019-04-26 2022-12-13 Beyondtrust Software, Inc. Root-level application selective configuration
US11709944B2 (en) 2019-08-29 2023-07-25 Darktrace Holdings Limited Intelligent adversary simulator
US11405412B2 (en) * 2019-12-30 2022-08-02 Imperva, Inc. Inline anomaly detection for multi-request operations
WO2021228659A1 (en) * 2020-05-13 2021-11-18 Netacea Limited Method of processing a new visitor session to a web-based system
CN111831881A (en) * 2020-07-04 2020-10-27 西安交通大学 Malicious crawler detection method based on website traffic log data and optimized spectral clustering algorithm
US11936667B2 (en) 2021-02-26 2024-03-19 Darktrace Holdings Limited Cyber security system applying network sequence prediction using transformers
US20230045301A1 (en) * 2021-08-09 2023-02-09 Bank Of America Corporation Scheme evaluation authentication system
US11880440B2 (en) * 2021-08-09 2024-01-23 Bank Of America Corporation Scheme evaluation authentication system

Also Published As

Publication number Publication date
CA2762429A1 (en) 2010-11-25
EP2433215A4 (en) 2013-09-04
WO2010135068A1 (en) 2010-11-25
AU2010250015A1 (en) 2011-12-08
JP2012527691A (en) 2012-11-08
US8356001B2 (en) 2013-01-15
EP2433215A1 (en) 2012-03-28

Similar Documents

Publication Publication Date Title
US8356001B2 (en) Systems and methods for application-level security
US11171925B2 (en) Evaluating and modifying countermeasures based on aggregate transaction status
US11711438B2 (en) Systems and methods for controlling data exposure using artificial-intelligence-based periodic modeling
US20200311630A1 (en) Adaptive enterprise risk evaluation
Moustafa et al. An ensemble intrusion detection technique based on proposed statistical flow features for protecting network traffic of internet of things
US9942250B2 (en) Network appliance for dynamic protection from risky network activities
Zhang et al. Causality reasoning about network events for detecting stealthy malware activities
CA2859415C (en) System for detecting, analyzing, and controlling infiltration of computer and network systems
Shrivastava et al. Attack detection and forensics using honeypot in IoT environment
US20200167705A1 (en) Adaptive enterprise risk evaluation
Alani Big data in cybersecurity: a survey of applications and future trends
WO2017011833A1 (en) Cyber security system and method using intelligent agents
Pramono Anomaly-based intrusion detection and prevention system on website usage using rule-growth sequential pattern analysis: Case study: Statistics of Indonesia (BPS) website
Gržinić et al. Lino-an intelligent system for detecting malicious web-robots
Alavizadeh et al. A survey on threat situation awareness systems: framework, techniques, and insights
Amar et al. Weighted LSTM for intrusion detection and data mining to prevent attacks
Noor et al. An intelligent context-aware threat detection and response model for smart cyber-physical systems
Hatada et al. Finding new varieties of malware with the classification of network behavior
Lee et al. DGA-based malware detection using DNS traffic analysis
Salih et al. Cyber security: performance analysis and challenges for cyber attacks detection
Yüksel et al. Towards useful anomaly detection for back office networks
Santander et al. The evolution from Traditional to Intelligent Web Security: Systematic Literature Review
Ramos et al. A Machine Learning Based Approach to Detect Stealthy Cobalt Strike C &C Activities from Encrypted Network Traffic
Abaid Time-sensitive prediction of malware attacks and analysis of machine-learning classifiers in adversarial settings
Ibrahim An architecture for network traffic anomaly detection system based on entropy analysis

Legal Events

Date Code Title Description
AS Assignment

Owner name: MARINER SYSTEMS INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:COLLAZO, CARLOS MIGUEL;REEL/FRAME:022922/0028

Effective date: 20090629

AS Assignment

Owner name: XYBERSECURE, INC., FLORIDA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MARINER SYSTEMS, INC.;REEL/FRAME:026958/0001

Effective date: 20110830

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: XYBERSHIELD, INC., FLORIDA

Free format text: CHANGE OF NAME;ASSIGNOR:XYBERSECURE, INC.;REEL/FRAME:030889/0739

Effective date: 20130619

AS Assignment

Owner name: XSI HOLD CO., CALIFORNIA

Free format text: MERGER;ASSIGNOR:XYBERSHIELD, INC.;REEL/FRAME:033325/0779

Effective date: 20131117

Owner name: LAYER8 SECURITY, INC., CALIFORNIA

Free format text: CHANGE OF NAME;ASSIGNOR:XSI HOLD CO.;REEL/FRAME:033344/0050

Effective date: 20140213

FPAY Fee payment

Year of fee payment: 4

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20210115